b'REVIEW OF THE UNITED STATES\n    MARSHALS SERVICE\xe2\x80\x99S\n PRISONER TRACKING SYSTEM\n\n\n       U.S. Department of Justice\n     Office of the Inspector General\n              Audit Division\n\n          Audit Report 04-29\n             August 2004\n\x0c           REVIEW OF THE UNITED STATES MARSHALS SERVICE\xe2\x80\x99S\n                     PRISONER TRACKING SYSTEM\n\n                                EXECUTIVE SUMMARY\n\n        The United States Marshals Service (USMS) is responsible for housing\nfederal prisoners awaiting trial in federal courts. On any given day, the\nUSMS maintains custody of approximately 40,000 federal prisoners in local\njails, contract facilities, and federal Bureau of Prisons (BOP) facilities\nthroughout the country. Depending upon the length of a prisoner\xe2\x80\x99s court\ntrial, time spent in USMS custody may run from several days to several\nyears.\n\n      The USMS uses the Prisoner Tracking System (PTS) application to\nmaintain tracking information for federal prisoners in USMS custody. The\nPTS contains information that is specific to each individual prisoner, including\nthe prisoner\xe2\x80\x99s personal data, property, medical information, criminal\ninformation, and location. Additionally, the USMS uses the application as an\ninformational and scheduling tool to assist USMS personnel in locating\nprisoners for court appearances. Prisoners\xe2\x80\x99 records are created using\ninformation obtained from key source documents, and this information is\nentered into the PTS. The PTS information is critical to processing and\ntransporting prisoners because the USMS relies on the confidentiality,\navailability, and integrity of this information to ensure the safety of both the\nprisoners and the law enforcement officers charged with their care.\n\n       The objectives of this audit were to assess the effectiveness of select\ngeneral controls for the PTS at the entity-wide level, review PTS\xe2\x80\x99s application\ncontrols, and perform data integrity testing. The Office of the Inspector\nGeneral (OIG) performed this audit in accordance with the Government\nAuditing Standards. We used the Federal Information System Controls Audit\nManual (FISCAM), Department of Justice (Department) policies and\nprocedures, National Institute of Standards and Technology (NIST) Special\nPublications (SP), Office of Management and Budget (OMB) Guidelines, and\nthe USMS\xe2\x80\x99s policies for prisoner processing and cellblock operations as\ncriteria for this audit.1 Specific details of our audit objectives, scope, and\nmethodology appear in Appendix 1.\n\n\n       1\n          The General Accounting Office\xe2\x80\x99s (GAO) FISCAM provides a methodology for guiding\nauditors in evaluating general and application controls used by information systems to\nprotect the integrity, confidentiality, and availability of data. Descriptions of the FISCAM\nselect general control and application control areas tested during this audit can be found in\nAppendix 3.\n\x0c       The USMS divides its operations into four regions with 94 district\noffices (DOs). To gain a nationwide represent ation of PTS operational\nactivities, we elected to review DOs in each of the four USMS regions. We\njudgmentally selected the following sites: Alexandria, Virginia; Washington,\nD.C.; New York, New York; Houston, Texas; Philadelphia, Pennsylvania;\nChicago, Illinois; Miami, Florida; and Phoenix, Arizona.\n\n       During our audit, we reviewed select general controls designed to\nprotect the PTS application against unauthorized use, loss, or modification of\nits data.2 Additionally, we reviewed application controls within the PTS that\nare used to ensure the validity, proper authorization, and completeness of\ntransactions when entering prisoners\xe2\x80\x99 data into the PTS. We also tested\noutput reports from the PTS application against source documents contained\nin prisoner file folders to assess the data integrity within the PTS.\n\nSUMMARY RESULTS OF THE AUDIT\n\nSelect General Controls\n\n      Our review of the PTS identified weaknesses within each of the six\ngeneral control categories designed to protect the PTS\xe2\x80\x99s system\nenvironment. Specifically, we found deficiencies within PTS\xe2\x80\x99s entity-wide\nsecurity program planning and management, access controls, application\nsoftware development and change control, system software, segregation of\nduties, and service continuity controls.\n\n\n\n\n       2\n          General controls are entity-wide controls used to protect a system\xe2\x80\x99s environment.\nThe PTS application can only be accessed via the USMS\xe2\x80\x99s Marshals Network (MNET);\ntherefore, MNET serves as the PTS application\xe2\x80\x99s system environment. We reviewed the\nselect general controls recommended by the FISCAM for evaluating and testing application\ncontrols because general controls for MNET were assessed during the OIG\xe2\x80\x99s January 2004\nFederal Information Security Management Act (FISMA) review. The results of this\nassessment can be found in the OIG\xe2\x80\x99s Audit Report No. 04-11.\n\n\n\n\n                                             ii\n\x0c       Following the chart below we summarize each vulnerability.\n\n                             GENERAL CONTROL AREAS\n\n                                                                    VULNERABILITIES\n                                                                        NOTED\nEntity-wide Security Program Planning & Management\nAssess risks periodically\nDocument an entity-wide security program plan\nEstablish a security management structure and clearly assign\nsecurity responsibilities                                                  \xe2\x88\x9a\nImplement effective security-related personnel policies                    \xe2\x88\x9a\nMonitor the security program\xe2\x80\x99s effectiveness and make changes\nas needed\nAccess Controls\nClassify information resources according to their criticality and\nsensitivity\nMaintain a current list of authorized users and ensure that their\naccess is authorized                                                       \xe2\x88\x9a\nEstablish physical and logical controls to prevent and detect\nunauthorized access                                                        \xe2\x88\x9a\nMonitor access, investigate apparent security violations, and\ntake appropriate remedial action\nApplication Software Development & Change Control\nAuthorize processing features and modifications                            \xe2\x88\x9a\nTest and approve all new and revised software\nControl software libraries\nSystem Software\nLimit access to system software\nMonitor access to and use of system software\nControl system software changes                                            \xe2\x88\x9a\nSegregation of Duties\nSegregate incompatible duties and establish related policies               \xe2\x88\x9a\nEstablish access controls to enforce segregation of duties\nControl personnel activities through formal operating procedures\nand supervision and review                                                 \xe2\x88\x9a\nService Continuity\nAssess the criticality and sensitivity of computerized operations\nand identify supporting resources                                          \xe2\x88\x9a\nTake steps to prevent and minimize potential damage and\ninterruption                                                               \xe2\x88\x9a\nDevelop and document a comprehensive contingency plan\nTest the contingency plan periodically and adjust it as\nappropriate                                                                \xe2\x88\x9a\n\n\n\n\n                                         iii\n\x0cEntity-wide Security Program Planning and Management\n\n      Within the area of entity-wide security program planning and\nmanagement, a security manager for the PTS application was not appointed\nand employees lacked adequate training and expertise. These deficiencies\ncould negatively impact the USMS\xe2\x80\x99s ability to assess risks and provide\nprotection for sensitive PTS data.\n\nAccess Controls\n\n       The USMS did not properly maintain the PTS authorized user list and\nallowed accounts to remain on the list for employees who no longer required\naccess. Active but invalid accounts could enable an unauthorized user to gain\naccess to sensitive information. Ineffective access controls diminish the\nreliability of data and subject the system to unauthorized use, loss, or\nmodification.\n\n      Additionally, the USMS did not enforce physical access controls to\nprotect data entry terminals from access by unauthorized users. Physical\naccess to computer facilities that house data entry terminals could allow\nunauthorized individuals to obtain confidential printed reports, view sensitive\ndata displayed on computer screens, and steal or damage equipment.\n\nApplication Software Development and Change Control\n\n      Interviews conducted during our site visits disclosed that program\nmodifications were not properly authorized. Application users are generally\nresponsible for requesting and authorizing system changes. However, we\nfound that the PTS application end-users were either unfamiliar with or\nunaware of the process for requesting changes to the application.\nInadequacies with controls that protect application software from\nunauthorized changes could result in the USMS allowing unauthorized\nmodifications to be made to the PTS application.\n\nSystem Software\n\n      The effectiveness of the PTS\xe2\x80\x99s system software controls were\njeopardized because the USMS is using outdated programming and database\nmanagement software to support the application. The use of such outdated\nsoftware prevents the USMS from implementing new security enhancements\nthat are designed to protect the application. This deficiency also increases\nthe risk that without timely software updates that enhance functionality and\n\n\n\n\n                                      iv\n\x0csecurity, data could be improperly processed by the application or\ninsufficiently protected.\n\nSegregation of Duties\n\n      Policies and procedures are not in place to segregate incompatible\nduties for personnel performing critical functions, such as prisoner intake and\nrecord creation processes. Compounding this problem, the USMS has no\nformal procedures to guide personnel performing activities that directly affect\nthe reliability of the PTS data. Without the segregation of duties, and in the\nabsence of formal procedures, the USMS cannot ensure the confidentiality,\nintegrity, and availability of PTS data during the prisoner processing cycle.\n\nService Continuity\n\n       Backup tapes were not being rotated off-site, and the contingency plan\nfor the PTS had not been tested. We also found that key personnel\nresponsible for emergency response activities lacked sufficient training and\nexpertise. System administrators were not familiar with the current version\nof the software supporting the PTS application or the location of their local\nDOs database files. Consequently, the USMS may lose the capability to\nrestore the PTS\xe2\x80\x99s application software and data because it is relying on\ninsufficient preventative measures to mitigate service disruptions.\nMoreover, the USMS is depending on inadequately trained individuals to\nrespond appropriately in the case of an emergency and to assist in restoring\nthe application software and data files of this mission critical operation.\n\n\n\n\n                                      v\n\x0cApplication Controls\n\n      In addition to the general controls findings previously mentioned, our\nreview of the PTS identified deficiencies within each of the four application\ncontrol areas we tested. Following the chart below is a summary of each\nvulnerability indicated in the chart.\n\n                          APPLICATION CONTROL AREAS\n\n                                                                   VULNERABILITIES\n                                                                       NOTED\nAuthorization Controls\nAll data are authorized before entering the application system            \xe2\x88\x9a\nRestrict data entry terminals to authorized users for authorized\npurposes                                                                  \xe2\x88\x9a\nMaster files and exception reporting help ensure all data are\nprocessed and are authorized\nCompleteness Controls\nAll authorized transactions are entered into and processed by\nthe computer                                                              \xe2\x88\x9a\nReconciliations are performed to verify data completeness\nAccuracy Controls\nData entry design features contribute to data accuracy\nData validation and editing are performed to identify erroneous\ndata\nErroneous data are captured, reported, investigated, and\ncorrected                                                                 \xe2\x88\x9a\nOutput reports are reviewed to help maintain data accuracy\nand validity                                                              \xe2\x88\x9a\nControls Over Integrity of Processing and Data Files\nProcedures ensure that the current version of production\nprograms and data files are used during processing\nPrograms include routines to verify that the proper version of\nthe computer files is used during processing\nPrograms include routines for checking internal file header\nlabels before processing\nMechanisms within the application protect against concurrent\nfile updates                                                              \xe2\x88\x9a\n\nAuthorization Controls\n\n      We found problems with authorization controls that ensure the validity\nof transactions. The USMS has not formally established baseline\nrequirements for key source documents used to create prisoner records in\nthe PTS or for the proper authorization of source documents. This lack of\nstandards from the USMS headquarters for key source documents resulted in\n\n\n\n                                         vi\n\x0cinconsistent data collection, record creation, and file maintenance practices\nthroughout the USMS sites audited. Formal standards would help to ensure,\nat a minimum, that each prisoner file folder contains photographs, medical\ninformation, and fingerprint cards. Also, such standards would help to\nensure that critical identifying information is collected from a reliable source.\nThese standards could also provide reasonable assurance against the\nmisidentification or mishandling of a prisoner due to inaccurate,\nunauthorized, or unreliable data.\n\n      Additionally, supervisory or independent reviews to ensure the proper\nauthorization of source documents and transactions were not being\nperformed prior to the data being entered into the PTS. This occurred\nbecause the USMS has not implemented adequate authorization standards\nfor source documents or required that supervisory reviews be performed on\na consistent basis. This precautionary measure would help ensure that\ntransactions are properly authorized and supported by a reliable source\ndocument that has been signed. It would also assist with the prevention of\nunauthorized, inappropriate, or incorrect transactions from being entered\nthat could negatively impact the integrity of data within the PTS.\n\n      Controls for ensuring that data entry terminals are used for authorized\npurposes, such as audit logs, were weak. Audit logs that help to recreate\nevents and track user activity were not being maintained for the PTS\napplication. The USMS management does not require that audit logs be\nmaintained for the PTS to track the occurrence of unauthorized activities. In\nour opinion, this condition increases the risk to the USMS that covert activity\nby a user, such as entering an unauthorized transaction resulting in the early\nrelease of a prisoner, may go undetected. The risks to the safety of the\nUSMS personnel who process and transport prisoners and the general public\nare increased when coupled with weak authorization controls over source\ndocuments and the lack of supervisory reviews of transactions.\n\nCompleteness Controls\n\n      The PTS application does not effectively use a completeness control\nknown as computer sequence checking to automatically perform global\ndatabase searches. Computer sequence checking would identify or prevent\nthe assignment of multiple USMS numbers to the same\nprisoner. 3 At present, each of the 94 DOs maintains a local PTS database\n\n\n\n\n      3\n         Computer sequence checking helps identify missing or duplicate numbers in a\nseries. USMS numbers are assigned sequentially to prisoners processed by a DO;\nhowever, database searches are conducted by prisoner name rather than USMS number.\n\n\n\n                                          vii\n\x0cand the application is only programmed to automatically perform searches\nfor existing name and USMS number information within a user\xe2\x80\x99s own local\ndatabase. The current configuration does not provide assurance that the\nprisoner does not have an existing USMS number in any one of the other 93\nlocal USMS databases. Without the capability to perform global searches of\nall existing databases, the USMS cannot ensure that it complies with its own\npolicies prohibiting the multiple assignment of USMS numbers to the same\nprisoner.\n\nAccuracy Controls\n\n      Within the area of accuracy controls, we found that the USMS\nmanagement does not have an effective means of determining the existence\nof erroneous data, such as uncorrected errors, or the severity of errors in\ndata entered into or processed by the application. Information regarding\nerroneous data was not collected and reported back to the USMS\nmanagement for investigation or correction. This occurred because the\nUSMS did not require that information regarding such data be collected.\nThis type of oversight could negatively impact the reliability of the PTS\xe2\x80\x99s\ndata through the propagation of undetected errors throughout the\napplication.\n\n       We also found that the PTS\xe2\x80\x99s accuracy controls were impacted because\nthe USMS did not adequately control the production and distribution of\nsensitive PTS output reports. Specifically, authorized users of the PTS print\nsensitive output reports to shared network printers used by non-authorized\nemployees. This practice exposes sensitive system data at a level above\nthat which employees are required to perform their duties. Without\nadequate controls over the distribution of output reports, unauthorized\nindividuals may inadvertently gain access to output reports and divulge\nsensitive and confidential information.\n\nControls Over Integrity of Processing and Data Files\n\n       Controls over integrity of processing and data files for the PTS\napplication were deficient. This was due to the USMS not ensuring that each\ninstallation of the PTS application at the 94 DOs nationwide protects against\nsimultaneous updates. We observed that the application allowed two users\nto update the same file concurrently, which raises doubt as to which user\xe2\x80\x99s\ninformation was accurately recorded and processed by the application. This\ntype of system malfunction could negatively impact the reliability of data\nwithin the PTS application.\n\n\n\n\n                                     viii\n\x0cData Integrity\n\n      In addition to the deficiencies discovered within PTS\xe2\x80\x99s general and\napplication controls, our audit disclosed weaknesses within PTS\xe2\x80\x99s data\nintegrity. We tested the two factors that contribute to data integrity:\ncompleteness of prisoner records and accuracy of information. Our review\ndiscovered weaknesses within both areas tested. A summary of each\nvulnerability follows the chart.\n\n                      Data Integrity Assessment Factors\n\n                                                                    VULNERABILITIES\n                                                                        NOTED\n Completeness of Information\n Records contain all of the data elements and documents\n                                                                               \xe2\x88\x9a\n used as support for the transactions\n Accuracy of Information\n Output reports reflect the data obtained from the source                      \xe2\x88\x9a\n documents\n\n\nCompleteness of Information\n\n       Our findings revealed deficiencies in the completeness of prisoner\nrecords. Many of the prisoner file folders we reviewed were missing key\nsource documents used to validate data entry transactions and to\nsubstantiate the actions taken by USMS personnel.4 This occurred because\nthe USMS did not establish and implement standards regarding data\ncollection in order to comply with federal records retention requirements.\nIncomplete prisoner file folders pose a significant risk to the USMS\xe2\x80\x99s ability to\nvalidate the PTS transactions, verify information, and justify the actions of its\nemployees. Additionally, maintaining adequate and proper documentation of\nprogram activities enables the USMS to protect the federal government\xe2\x80\x99s\nlegal and financial interests.\n\nAccuracy of Information\n\n      Reviews of output reports produced by the PTS application disclosed\ndiscrepancies in the accuracy of information. Output reports help to maintain\nthe accuracy and validity of data within a system and determine the\ncompleteness of processing. We found that prisoner identifying information,\nsuch as a prisoner\xe2\x80\x99s date of birth, appearing on the PTS output reports did\nnot match source documents contained in the prisoner\xe2\x80\x99s file folder.\n\n      4\n          The GAO defines a source document as any form of information that serves as the\nbasis for entry of data into a computer system.\n\n\n\n\n                                           ix\n\x0cAdditionally, critical dates, such as a prisoner\xe2\x80\x99s custody date, did not\ncorrelate with dates on source documents in the prisoner\xe2\x80\x99s file folder.\nInaccurate PTS information could result in the overpayment of jail bills, the\nuntimely release of a prisoner, or the misidentification of a prisoner requiring\nspecial handling within the prisoner population.\n\nCONCLUSION AND RECOMMENDATIONS\n\n      We consider our findings in the areas of select general controls,\napplication controls, and data integrity to be major weaknesses. We further\nconclude that the state of the PTS\xe2\x80\x99s existing controls poses a high risk to the\nprotection of its data from unauthorized use, loss, or modification.5\n\n      We conclude that these weaknesses occurred because the USMS did\nnot fully comply with current Department policies and procedures, NIST\nstandards, OMB guidelines, or its own procedures for prisoner processing\nand cellblock operations. If not corrected, these security vulnerabilities\ncould impair the USMS\xe2\x80\x99s ability to fully ensure the integrity, confidentiality,\nand availability of data within the PTS.\n\n      This report contains 20 recommendations for improving select general\ncontrols, application controls, and the integrity of data for the PTS. In\ngeneral, we recommend that the USMS:\n\n           \xe2\x80\xa2   Appoint a security manager responsible for the PTS application;\n\n           \xe2\x80\xa2   Develop a training program to ensure that PTS users receive\n               specialized training before being granted access to the\n               application and ensure that system administrators are trained in\n               their responsibilities;\n\n           \xe2\x80\xa2   Review access authorizations for the PTS application and update\n               the PTS authorized user list in a timely manner;\n\n           \xe2\x80\xa2   Ensure that existing measures, such as door locks, are used to\n               provide protection against unauthorized access to sensitive\n               areas;\n\n       5\n           NIST SP 800-18 defines risk as the possibility of harm or loss to any software,\ninformation, hardware, administrative, physical, communications, or personnel resource\nwithin an automated information system or activity. Additionally, NIST categorizes the\nrequirements for protecting the confidentiality, integrity, and availability of system\ninformation into three basic categories \xe2\x80\x93 high, medium, and low \xe2\x80\x93 according to the system\xe2\x80\x99s\nsensitivity level. Specifically, a high risk is considered a critical concern of the system.\n\n\n\n\n                                             x\n\x0c\xe2\x80\xa2   Inform users regarding policies and procedures for requesting\n    changes to the application and update the PTS\xe2\x80\x99s production\n    environment by replacing outdated software with current\n    software;\n\n\xe2\x80\xa2   Develop and enforce policies and procedures to segregate duties\n    among staff performing critical PTS functions;\n\n\xe2\x80\xa2   Identify and train employees involved in emergency response\n    procedures in their roles and responsibilities; maintain\n    emergency contact lists on-site; rotate and store backup tapes\n    off-site; and test the PTS contingency plan annually;\n\n\xe2\x80\xa2   Standardize the record creation process throughout the USMS\n    for the PTS and establish key source document requirements for\n    data collection;\n\n\xe2\x80\xa2   Implement a control, such as requiring the supervisory\n    authorization of data, to ensure that before information is\n    entered into the system, transactions are supported by properly\n    authorized source documents;\n\n\xe2\x80\xa2   Maintain and review audit trails for the PTS application;\n\n\xe2\x80\xa2   Modify PTS to perform automatic global database searches to\n    assist with the prevention of assigning multiple USMS numbers\n    to the same prisoner, report erroneous data to the PTS users\n    department for investigation and correction, and protect the PTS\n    output reports containing sensitive privacy information from\n    access by unauthorized persons;\n\n\xe2\x80\xa2   Ensure each installation of the PTS application protects against\n    simultaneous updates of the same record by more than one\n    end-user; and\n\n\xe2\x80\xa2   Maintain adequate source documents in prisoners\xe2\x80\x99 file folders to\n    substantiate employee activities and implement quality control\n    measures to ensure data integrity.\n\n\n\n\n                              xi\n\x0c                           TABLE OF CONTENTS\n\n                                                                                   Page\n\nI. BACKGROUND ...................................................................... 1\n     PTS Application System Environment ..................................... 2\n\nII. FINDINGS AND RECOMMENDATIONS........................................ 3\n       1. Select General Controls ................................................... 3\n          Entity-wide Security Program Planning and Management ....... 3\n          Access Controls.............................................................. 7\n          Application Software Development and Change Control.........11\n          System Software............................................................13\n          Segregation of Duties .....................................................15\n          Service Continuity ..........................................................17\n\n       2. Application Controls ........................................................21\n          Authorization Controls.....................................................22\n          Completeness Controls....................................................27\n          Accuracy Controls...........................................................29\n          Controls Over Integrity of Processing and Data Files .............33\n\n       3. Data Integrity Testing .....................................................34\n          Completeness of Information............................................35\n          Accuracy of Information ..................................................37\n\n\nIII. CONCLUSION ......................................................................40\n\n\nAPPENDIX 1       OBJECTIVES, SCOPE, AND METHODOLOGY .................43\nAPPENDIX 2       FIELDWORK SITE VISIT MAP....................................45\nAPPENDIX 3       FEDERAL INFORMATION SYSTEM CONTROLS AUDIT\n                 MANUAL, SELECT GENERAL CONTROLS AND\n                 APPLICATION CONTROLS.........................................46\nAPPENDIX 4       GENERAL ACCOUNTING OFFICE, ASSESSING THE\n                 RELIABILITY OF COMPUTER-PROCESSED DATA,\n                 DATA INTEGRITY ASSESSMENT FACTORS...................48\nAPPENDIX 5       GENERAL ACCOUNTING OFFICE, FEDERAL\n                 INFORMATION SYSTEM CONTROLS AUDIT MANUAL,\n                 GENERAL CONTROLS REVIEW GUIDELINES ................49\n\x0cAPPENDIX 6     GENERAL ACCOUNTING OFFICE, FEDERAL\n               INFORMATION SYSTEM CONTROLS AUDIT MANUAL,\n               APPLICATION CONTROLS REVIEW GUIDELINES...........67\nAPPENDIX 7     GENERAL ACCOUNTING OFFICE, ASSESSING THE\n               RELIABILITY OF COMPUTER-PROCESSED DATA,\n               DATA INTEGRITY ASSESSMENT GUIDELINES ..............76\nAPPENDIX 8     ACRONYMS AND ABBREVIATIONS.............................77\nAPPENDIX 9     GENERAL CONTROLS CRITERIA ................................78\nAPPENDIX 10 APPLICATION CONTROLS CRITERIA...........................79\nAPPENDIX 11 DATA INTEGRITY ASSESSMENT CRITERIA ..................81\nAPPENDIX 12 AUDITEE RESPONSE ...............................................82\nAPPENDIX 13 ANALYSIS AND SUMMARY OF ACTIONS\n            NECECESSARY TO CLOSE REPORT.............................92\n\x0c           REVIEW OF THE UNITED STATES MARSHALS SERVICE\xe2\x80\x99S\n                      PRISONER TRACKING SYSTEM\n\nI. BACKGROUND\n\n         The United States Marshals Service (USMS) is responsible for housing\n federal prisoners awaiting trial in federal courts. On any given day, the\n USMS maintains custody of approximately 40,000 federal prisoners in local\n jails, contract facilities, and federal Bureau of Prisons (BOP) facilities\n throughout the country. Depending upon the length of a prisoner\xe2\x80\x99s court\n trial, time spent in USMS custody may run from several days to several\n years.\n\n       The USMS Prisoner Tracking System (PTS) supports the USMS\xe2\x80\x99s\n responsibility to maintain custody of individual federal prisoners while\n criminal proceedings are pending. This period of custody extends from the\n time of their arrest or remand to the USMS by the court until the prisoner is\n sentenced, released from custody, or returned to the custody of the U.S.\n Parole Commission or the BOP.\n\n       The PTS was implemented by the USMS in March 1993 to maintain\n tracking information for federal prisoners and to monitor federal prisoners in\n state and local detention facilities under contract to the USMS. The PTS\n replaced the Prisoner Population Management System. The PTS captures\n information necessary to complete the administrative processing, housing,\n safekeeping, health care, and disposition of federal prisoners in USMS\n custody.6 From fiscal year (FY) 2001 to FY 2004, the PTS\xe2\x80\x99s total operating\n costs were $3,370,000, with annual operating costs averaging $842,500.\n Another $1,070,000 is projected for FY 2005 and a project to upgrade the\n PTS application\xe2\x80\x99s functionality, funded at $5 million over a 5-year period, is\n currently underway. 7\n\n      The PTS is also used as an informational and scheduling tool. As an\n informational tool, the PTS provides identifying data specific to each\n prisoner, including the prisoner\xe2\x80\x99s personal data, property, medical\n information, criminal information, location, and time spent at a facility. As a\n scheduling tool, PTS information assists USMS personnel in locating\n prisoners to be transported for court appearances.\n\n       6\n         USMS System Security Plan for the Prisoner Tracking System (PTS)/USMS\n Automated Booking System (USMS-ABS), June 2003.\n       7\n        Operating costs were obtained from budget requests submitted to the Office of\n Management and Budget by the Justice Management Division.\n\n                                            1\n\x0c      In addition, the PTS also contains records of court proceedings\ngenerated during the day-to-day processing and disposition of prisoners in\nthe USMS\xe2\x80\x99s custody. Prisoners\xe2\x80\x99 records contained within the PTS are created\nusing information obtained from key source documents, such as the\nindividual custody and detention form, intake photos, Federal Bureau of\nInvestigation (FBI) finger print cards, and the prisoners\xe2\x80\x99 medical form.\n\nPTS Application System Environment\n\n      The PTS application software runs on a local server in each of the 94\nUSMS district offices (DOs) located throughout the U.S. and its territories.\nIn addition to the application, a database is maintained on the local server\nthat contains information relative to prisoners processed by the DO. Thus,\nthe USMS PTS environment consists of 94 copies of the PTS application\nalong with 94 individual databases.\n\n       At each DO, PTS client workstations connect to their local PTS\napplication server to gain access to database information. PTS users initially\nlog into the Marshals\xe2\x80\x99 Network (MNET) located at the USMS headquarters in\nArlington, Virginia, in order to log into the PTS application server at the ir\nlocation. Additionally, remote users can gain access to the PTS server in\ntheir district by dialing into the remote access server located at the USMS\nheadquarters. The user is required to provide additional remote access user\nidentification information in order to log into MNET. The following diagram\ndepicts the PTS\xe2\x80\x99s access configuration.\n\n                    PTS Access Configuration\n\n\n                                             PTS\n                     PTS Laptop              Users\n                       Users\n\n\n\n\n                          HQ\n                                               HQ\n                        Remote\n                                              MNet\n                     Access Server\n\n                                          PTS Servers\n                                           94 District\n                                             Offices\n\n\n                                      2\n\x0cII. FINDINGS AND RECOMMENDATIONS\n\n        Our review of select general controls designed to protect the\n        PTS\xe2\x80\x99s system environment identified weaknesses with the\n        PTS\xe2\x80\x99s entity-wide security program planning and\n        management, access controls, application software\n        development and change control, system software,\n        segregation of duties, and service continuity controls. We\n        also identified deficiencies with the PTS\xe2\x80\x99s application controls\n        that are used to help ensure the validity of transactions and\n        proper authorization of data. These deficiencies included\n        inadequate authorization controls, completeness controls,\n        accuracy controls, and controls over integrity of processing\n        and data files. Our findings relative to data integrity included\n        deficiencies with the completeness of prisoner records and the\n        accuracy of information contained within the PTS. In our\n        judgment, these findings are major weaknesses in the PTS.\n        We consider the system overall to be at a high risk to the\n        protection of its data from unauthorized use, loss, or\n        modification. These weaknesses occurred because the USMS\n        did not develop or fully enforce its own policies or comply\n        with the Department policies, NIST standards, and OMB\n        guidelines. If not corrected, these weaknesses could impair\n        the USMS\xe2\x80\x99s ability to fully protect the integrity, confidentiality,\n        and availability of data contained within the PTS database.\n\n  1. SELECT GENERAL CONTROLS\n\n        General controls are entity-wide access controls used to safeguard a\n  system\xe2\x80\x99s environment. Our review of select general controls for the PTS\n  application identified weaknesses in all six of the Federal Information System\n  Controls Audit Manual (FISCAM) general controls areas \xe2\x80\x93 entity-wide\n  security program planning and management, access controls, application\n  software development and change control, system software, segregation of\n  duties, and service continuity controls.\n\n        Entity-wide Security Program Planning and Management\n\n       Entity-wide security program planning and management allows an\n  organization to establish a security control structure that enables senior\n\n\n\n\n                                          3\n\x0cmanagement to identify and address security risks. An effective plan\nrequires that an organization:\n\n       \xe2\x80\xa2   Assess risks periodically;\n       \xe2\x80\xa2   Document an entity-wide security program plan;\n       \xe2\x80\xa2   Establish a security management structure and clearly assign\n           security responsibilities;\n       \xe2\x80\xa2   Implement effective security-related personnel policies; and\n       \xe2\x80\xa2   Monitor the security program\xe2\x80\x99s effectiveness and make changes as\n           needed.\n\n       We confirmed that the USMS adequately assessed risks, documented\nan entity-wide security program plan, and monitored the security program\xe2\x80\x99s\neffectiveness. However, vulnerabilities were noted as indicated in the\nfollowing chart:\n\n           Entity-wide Security Program Planning & Management\n\n                                                                VULNERABILITIES\n                            CONTROL AREAS\n                                                                    NOTED\nAssess risks periodically\nDocument an entity-wide security program plan\nEstablish a security management structure and clearly assign\nsecurity responsibilities                                              \xe2\x88\x9a\nImplement effective security-related personnel policies                \xe2\x88\x9a\nMonitor the security program\xe2\x80\x99s effectiveness and make changes\nas needed\n\n\n       Establish a Security Management Structure and Clearly Assign\n       Security Responsibilities\n\n       Security managers are an essential component of an organization\xe2\x80\x99s\nsecurity control structure and are responsible for reporting compliance\nissues to senior management. Security managers perform specific functions\nto ensure the effectiveness of security plans established to protect systems\nthat maintain sensitive data. These functions include assessing and\nmanaging risks to protect the confidentiality, availability, and integrity of\nsystem data. Security managers are also actively involved in addressing\nthreats posed by authorized internal users and unauthorized outsiders\nattempting to gain access to system data, and implementing logical and\nphysical access controls to prevent breaches in security.\n\n    Our review of the PTS\xe2\x80\x99s entity-wide security program planning and\nmanagement revealed that no security manager for the PTS application had\n                                           4\n\x0cbeen formally appointed. This occurred because USMS did not establish a\nsecurity management structure and clearly assign security responsibilities.\n\n       The PTS\xe2\x80\x99s system security plan, included in the application\xe2\x80\x99s\ncertification and accreditation documentation, lists an individual as the\n\xe2\x80\x9cComputer Systems Security Officer (CSSO).\xe2\x80\x9d However, when we\ninterviewed the individual designated as the CSSO, we found that he was\nnot actively involved in providing security manager duties for the PTS\napplication and did not know he had been officially appointed. Subsequent\ninterviews with USMS management officials confirmed that the USMS had\nnot officially appointed a security manager to address computer security\npractices specific to the PTS application.\n\n       OMB Circular A-130 requires that an entity \xe2\x80\x9cassign responsibility for\nsecurity for each major application to a management official.\xe2\x80\x9d Furthermore,\nthe guidance recommends that the individual be \xe2\x80\x9cassigned the responsibility\nin writing to assure the application has adequate security.\xe2\x80\x9d\n\n      Without the appointment of a security manager for the PTS\napplication, the USMS cannot ensure that the application has adequate\nsecurity or that security-related tasks are carried out. Such tasks include\nproperly authorizing system access, communicating security policies to the\nuser population, and monitoring risk management activities.\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            1. Appoint a security manager responsible for the PTS\n               application and ensure the appointment is documented.\n\n      Implement Effective Security-Related Personnel Policies\n\n       The USMS did not implement effective security-related personnel\npolicies to assure that employees possess adequate training and expertise.\nThe USMS\xe2\x80\x99s Prisoner Services Division (PSD) offers specialized PTS training\nat a federal government facility in Glynco, Georgia. However, users of the\nPTS application who perform critical functions such as record creation and\nrecord updating were not required by management to attend the specialized\ntraining prior to being granted access to the system.\n\n       OMB Circular A-130 states that users of an application should receive\nspecialized training prior to being granted access, and that the specialized\ntraining should focus on their responsibilities and rules of expected behavior\n\n                                      5\n\x0cfor the application. We found that no policy existed that required users to\nreceive specialized training prior to or within a reasonable period after hire,\nand that the majority of PTS users had never received the specialized\ntraining offered by the USMS.\n\n      Additionally, we determined that USMS personnel functioning as\nsystem administrators for the application did not have adequate training\nand expertise. According to the system administrator position description\nprovided by the USMS, system administrators are responsible for\n\xe2\x80\x9coperating, troubleshooting, repairing, and maintaining IT systems.\xe2\x80\x9d\nAdditionally, the document states that employees must possess the\nrequisite technical knowledge to sustain the availability of the hardware and\nsoftware environment. The system administrator must also be competent\nto maintain operating systems, applications, and data elements. However,\nwe found that some system administrators were unfamiliar with their\nhardware and software environment and lacked specific knowledge, such as\nwhat version of the application was running on their server, what files\nsupported the application, or where the PTS database they were responsible\nfor protecting was located.\n\n      OMB Circular A-130 requires that an aspect of an entity\xe2\x80\x99s information\nmanagement policy should require that employees, such as system\nadministrators, are trained in skills appropriate to the management and\nprotection of system information and that this training shall be an ongoing\npart of the information life cycle.8\n\n       These deficiencies could negatively impact the USMS\xe2\x80\x99s ability to assess\nrisks and provide protection for sensitive PTS data.\n\n       Recommendations:\n\n              We recommend that the USMS:\n\n              2. Develop a training program to ensure that users of the PTS\n                 application receive specialized training before being granted\n                 access to the application.\n\n              3. Ensure that individuals performing system administrator\n                 duties are properly trained in their responsibilities.\n\n\n\n       8\n          OMB defines the term "information life cycle" as the stages through which\ninformation passes, typically characterized as creation or collection, processing,\ndissemination, use, storage, and disposition.\n\n                                            6\n\x0c       Access Controls\n\n      Access controls are designed to limit or detect access to computer\nprograms, data, and equipment to protect these resources from\nunauthorized modification, disclosure, loss, or impairment. Access controls\nare both logical and physical. These controls are used to ensure that staff\nduties and responsibilities are implemented in a way that safeguards\nprograms.\n\n      In order to successfully implement the critical elements of access\ncontrols, an organization must:\n\n          \xe2\x80\xa2   Classify information resources according to their criticality and\n              sensitivity;\n          \xe2\x80\xa2   Maintain a current list of authorized users and ensure that their\n              access is authorized;\n          \xe2\x80\xa2   Establish physical and logical controls to prevent or detect\n              unauthorized access; and\n          \xe2\x80\xa2   Monitor access, investigate apparent security violations, and\n              take appropriate remedial action.\n\n       We found that the USMS successfully classified information resources\nand investigated apparent security violations. However, vulnerabilities were\nidentified as indicated in the chart below:\n\n                                    Access Controls\n\n                                                                     VULNERABILITIES\n                     CONTROL AREAS\n                                                                         NOTED\nClassify information resources according to their criticality and\nsensitivity\nMaintain a current list of authorized users and ensure that\ntheir access is authorized                                                  \xe2\x88\x9a\nEstablish physical and logical controls to prevent and\ndetect unauthorized access                                                  \xe2\x88\x9a\nMonitor access, investigate apparent security violations, and take\nappropriate remedial action\n\n\n       Maintain a Current List of Authorized Users and Ensure That\n       Their Access is Authorized\n\n      We found that the PTS\xe2\x80\x99s list of authorized users contained multiple\nerrors and inaccurate information. This resulted because USMS\nheadquarters did not properly maintain a current list of authorized users that\nwas coordinated with information maintained by the DOs. Additionally, the\nUSMS did not regularly review the PTS authorized user list, validate the\nlevels of access authorized to users, or update the user list accordingly.\n                                             7\n\x0c        We obtained a consolidated user list for all authorized PTS users from\nUSMS headquarters. Officials at USMS headquarters informed us that\nsystem administrators at each DO were responsible for maintaining their\nrespective user list by adding and deleting names. Therefore, we sorted the\nheadquarters list by DO location to produce a list for each of the following\nsites we visited: Eastern District of Virginia (E/VA) in Alexandria, Virginia;\nthe District Court for the District of Columbia (DC/DC) in Washington, D.C.;\nthe Southern District of New York (S/NY) in New York, New York; the\nSouthern District of Texas (S/TX) in Houston, Texas; Eastern District of\nPennsylvania (E/PA) in Philadelphia, Pennsylvania; the Northern District of\nIllinois (N/IL) in Chicago, Illinois; the Southern District of Florida (S/FL) in\nMiami, Florida; and the District of Arizona (D/AZ) in Phoenix, Arizona.\n\n     Our review of the eight DO lists disclosed that: a) the USMS allowed\naccounts to remain on the application\xe2\x80\x99s authorized user list for employees\nwho no longer required access to the PTS; and b) the authorized user list\ngenerated by USMS headquarters did not match the authorized user lists\nmaintained at the DOs.\n\n       The following chart represents specific deficiencies noted during our\nreview of the authorized user list at each site we visited. The \xe2\x80\x9ctotal number\nof user accounts\xe2\x80\x9d column represents the total number of names appearing\non the PTS authorized user list obtained from the USMS headquarters for\neach site visited. The figures in the \xe2\x80\x9cnumber determined invalid or\nunknown\xe2\x80\x9d column represent accounts that could not be confirmed as \xe2\x80\x9cvalid\xe2\x80\x9d\nby the responsible system administrator. User accounts in this category\nwere determined to be \xe2\x80\x9cinvalid\xe2\x80\x9d if the names had not been removed from\nthe user list although the user had departed the site or was no longer\nauthorized access to the PTS application. User accounts were determined to\nbe \xe2\x80\x9cunknown\xe2\x80\x9d if the system administrator could not attest to the users\xe2\x80\x99\nidentity or their authority to access the application.\n\n                                   PTS Authorized User List\n                                                    Number Determined\n                        Total Number of             Invalid or Unknown             Percentage of\n          Sites          User Accounts                 by Comparing                   Invalid\n         Visited        According to HQ                  DO to HQ                    Accounts\n              E/VA            76                             16                        21%\n            DC/DC            111                             64                        58%\n              S/NY           144                             33                        23%\n              E/PA            94                             35                        37%\n              S/TX           346                            113                        33%\n               N/IL           88                             41                        47%\n              S/FL           143                             45                        31%\n              D/AZ           138                             45                        33%\n           Totals:         1140                            392                         34%\n    Source: The OIG\xe2\x80\x99s analysis of user lists workpapers for eight sites visited.\n\n\n                                                      8\n\x0c      A further review of the authorized user list for each site visited\nrevealed that erroneous or invalid entries appeared on the user list obtained\nfrom USMS headquarters. However, the system administrators provided\nevidence that they were properly maintaining the user list at their site. We\nsurmised that the discrepancies involving erroneous entries and unknown\naccounts occurred because the consolidated user list generated by USMS\nheadquarters was not incorporating the additions, deletions, and changes\nmade at the DO level.\n\n      The DO user lists extracted from the HQ consolidated user list\ncontained various column headings such as userID, name, and date of the\nuser\xe2\x80\x99s last login. In addition to the deficiencies previously noted, the\nfollowing deficiencies contributed to rendering accounts \xe2\x80\x9cinvalid:\xe2\x80\x9d\n\n   \xe2\x80\xa2   Employees\xe2\x80\x99 official titles and their DO locations were improperly\n       entered in the \xe2\x80\x9cname\xe2\x80\x9d field of the user list;\n   \xe2\x80\xa2   Descriptions of the employees\xe2\x80\x99 positions appeared in the \xe2\x80\x9cname\xe2\x80\x9d field\n       of the user list as opposed to the users\xe2\x80\x99 proper name;\n   \xe2\x80\xa2   UserID information (e.g., last name, first initial) frequently did not\n       match the actual user\xe2\x80\x99s name that appeared on the DO list; and\n   \xe2\x80\xa2   Entries were \xe2\x80\x9cmissing name information,\xe2\x80\x9d because userIDs did not\n       have an accompanying user name.\n\n     Prior to our departure from each site, the system administrators\nagreed to remove entries deemed \xe2\x80\x9cinvalid or unknown users\xe2\x80\x9d from their\nPTS-authorized user list.\n\n      The above conditions do not comply with the Department\xe2\x80\x99s Order\n2640.2E, \xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d which requires that each user\nbe identified as unique. The Department\xe2\x80\x99s Order further requires access\ncontrols to ensure sys tem users can only access the resources necessary to\naccomplish their duties and no more. Additionally, OMB Circular A-130\nrequires agencies to implement the practice of \xe2\x80\x9cleast privilege,\xe2\x80\x9d whereby\nuser access to systems is restricted to the minimum level possible.\n\n      Allowing \xe2\x80\x9cinvalid and unknown\xe2\x80\x9d user accounts to remain on the PTS\nauthorized user list could jeopardize the effectiveness of security features\ndesigned to restrict the user\'s access to only that information which is\nnecessary for operations and for which the user has a need to know. The\nexistence of active but invalid accounts could enable an unauthorized user to\ngain access to sensitive information. For example, accounts represented by\nan employee\xe2\x80\x99s official title or position description, as opposed to a specific\nuserID, are equivalent to generic or \xe2\x80\x9cguest\xe2\x80\x9d accounts. Guest accounts could\nallow various members of a DO to share the same userID and password\n\n                                      9\n\x0cinformation to gain access to and make changes within a system. Any\nactions performed by these accounts, detrimental or otherwise, would be\ndifficult to trace back to a specific user. OMB Circular A-130 sets forth\npersonnel controls that strengthen access authorizations, provides for\nindividual accountability, and emphasizes the need to hold users accountable\nfor their actions. Ineffective access authorizations, such as allowing generic\naccounts to remain on an authorized user list, diminish the reliability of data\nand subject the system to unauthorized use, loss, or modification.\n\n      Recommendation:\n\n            We recommend the USMS:\n\n             4. Ensure that access authorizations for the PTS are reviewed\n                and that USMS headquarters update its authorized PTS\n                users list in a timely manner to incorporate changes from\n                the DOs.\n\n      Establish Physical and Logical Controls to Prevent and Detect\n      Unauthorized Access\n\n        Physical access controls consist of measures such as locking doors to\nfacilities housing computers that process sensitive information and posting\nguards at entrance points to those facilities.\n\n       Logical access controls involve the use of computer hardware and\nsecurity software programs to prevent or detect unauthorized access by\nrequiring users to input unique user identifications, passwords, or other\nidentifiers that are linked to predetermined access privileges. Additionally,\ncontrols are designed to reduce the risk of errors or fraud from occurring\nand going undetected. Policies outlining the supervision and assignment of\nresponsibilities to groups and related individuals should be documented,\ncommunicated, and enforced. Such controls keep individuals from\nsubverting a critical process. As discussed previously, we determined that\nthe PTS\xe2\x80\x99s access authorizations or logical access controls were weak because\nUSMS headquarters did not properly maintain a current list of authorized\nusers.\n\n      Physical access controls were adequately enforced at seven of the\neight sites visited. However, we encountered an instance where physical\naccess controls were not enforced to prevent or detect unauthorized access.\nWe observed that the locks on the door to a restricted area at one location\nwere not engaged. Adequate physical access controls to the building were\nprovided by armed guards; however, the door to the restricted area housing\n\n                                      10\n\x0cdata terminals and sensitive PTS information was left unlocked and\npotentially accessible by unauthorized visitors to the building.\n\n      NIST Special Publication (SP) 800-18, \xe2\x80\x9cGuide for Developing Security\nPlans for Information Technology Systems\xe2\x80\x9d explains that physical access\ncontrols protect computer resources and \xe2\x80\x9crestrict the entry and exit of\npersonnel.\xe2\x80\x9d\n\n      By not enforcing adequate physical access controls, the USMS exposed\nthe PTS to the risk that unauthorized individuals could gain access to\nsensitive information. Additionally, the USMS\xe2\x80\x99s ability to protect sensitive\nprinted data or equipment from theft or inadvertent disclosure would be\ncompromised if an unauthorized person entered a restricted facility\ncontaining sensitive PTS equipment and data.\n\n     Recommendation:\n\n           We recommend that the USMS:\n\n           5.   Ensure that existing measures, such as door locks, are used\n                to provide protection against unauthorized access to\n                sensitive areas.\n\n     Application Software Development and Change Control\n\n       Application software development and change control is an essential\ncomponent of an application\xe2\x80\x99s system development life cycle (SDLC). These\nmeasures allow managers responsible for seeing that software supporting\ntheir operation meets the requirement of the organization and produces\nreliable data.\n\n     An entity should institute policies, procedures, and techniques to\nensure responsible individuals:\n\n     \xe2\x80\xa2   Authorize processing features and program modifications properly;\n     \xe2\x80\xa2   Test and approve all new and revised software; and\n     \xe2\x80\xa2   Control software libraries.\n\n\n\n\n                                     11\n\x0c      We determined that the USMS adequately tested new software and\ncontrolled its software libraries. However, our review disclosed a deficiency\nas indicated in the chart below:\n\n           Application Software Development & Change Control\n\n                                                              VULNERABILITIES\n                             CONTROL AREAS\n                                                                  NOTED\nAuthorize processing features and modifications                     \xe2\x88\x9a\nTest and approve all new and revised software\nControl software libraries\n\n\n       Authorize Processing Features and Modifications\n\n      An entity should ensure that its SDLC policies provide a structured\napproach that identifies who can authorize modifications to the system, and\nthe policies should be distributed to all users. Ultimately, application end\nusers have the primary responsibility for taking part in the design and\nimplementation of processing features and approving subsequent changes\nmade to the application.\n\n      Although the USMS had a documented SDLC for the PTS that included\ninstructions for requesting changes to the application, many of the PTS users\nat the DOs we visited were not aware of the policy and were not aware of\nhow to formally request changes to the application. This condition exists\nbecause the USMS has not adequately disseminated established change\ncontrol policies throughout the organization.\n\n      The Department\xe2\x80\x99s Order 2640.2E, Chapter 1, \xe2\x80\x9cSecurity Program\nManagement,\xe2\x80\x9d directs components to develop a process to integrate security\ninto various stages of a system\xe2\x80\x99s life cycle and to ensure that changes to any\nsystem are controlled.\n\n      Ineffective management over modifications to application software\ncould hamper an entity\xe2\x80\x99s ability to prevent knowledgeable programmers\nfrom covertly changing program code to access sensitive data. Additionally,\nthe entity could risk the likelihood of implementing incorrect or outdated\nversions of operating system and application software. Failure to establish\nsuch controls could allow the introduction of malicious code that could lead\nto the loss or destruction of sensitive data.\n\n\n\n\n                                           12\n\x0c      Recommendation:\n\n             We recommend that the USMS:\n\n             6. Ensure PTS users are informed of the policies and procedures\n                for requesting changes to the application.\n\n      System Software\n\n      Often referred to as a \xe2\x80\x9cutility,\xe2\x80\x9d system software is used by\nprogrammers to configure a system and manage the input, processing,\noutput, and data storage associated with all of the applications that run on a\nsystem. System software operates at a higher level than application\nsoftware and can thus be used to read, modify, or delete critical or sensitive\ninformation and to bypass security controls built into application programs.\nMoreover, some system software can change data and program code without\nleaving an audit trail, such as programming software and database\nmanagement systems (DBMS). 9\n\n      Weakness in controls over system software could negatively impact\nthe reliability of information produced by applications supported by the\ncomputer system. An organization can protect the integrity of system\nsoftware in the following ways:\n\n      \xe2\x80\xa2   Limiting access to system software;\n      \xe2\x80\xa2   Monitoring access to and use of system software; and\n      \xe2\x80\xa2   Controlling system software changes.\n\n      Although the USMS effectively limited access to system software and\nmonitored its use, deficiencies were noted in the area indicated in the\nfollowing chart:\n                              System Software\n\n                                                                 VULNERABILITIES\n                      CONTROL AREAS\n                                                                     NOTED\n   Limit access to system software\n   Monitor access to and use of system software\n   Control system software changes                                         \xe2\x88\x9a\n\n\n\n\n  9\n      DBMSs organize data in a database and manage actions such as queries and updates.\n\n                                          13\n\x0c      Control System Software Changes\n\n      The PTS application consists of a database controlled by a DBMS and\napplication programming software. The database is used to store data\npertaining to the USMS\xe2\x80\x99s prisoner operations and prisoner identifying\ninformation. The application\xe2\x80\x99s user interface and functionality are modified\nusing a commercial-off-the shelf programming language.\n\n       We determined that the controls for the PTS\xe2\x80\x99s system software\nchanges were deficient. The USMS is using an outdated version of the\ndatabase management software and programming language to support the\nPTS application in its production environment. According to the DBMS and\napplication programming software vendor, the company no longer provides\ntechnical support for these products and has not done so for over five years.\nThis condition exists because the USMS has not updated and patched these\ncritical components although the vendor has produced three version updates\nsince the release of the version currently used by the USMS.\n\n      OMB Circular A-130 recommends that entities periodically review\nsecurity controls and seek ways to improve security such as utilizing\ntechnical tools to look for security problems and installing the latest software\npatches. NIST SP 800-40 specifically addresses procedures for handling\nsecurity patches. NIST warns that not patching information systems in a\ntimely manner can impact operations and degrade the confidentiality,\navailability, and integrity of a system\xe2\x80\x99s information.\n\n      The USMS\xe2\x80\x99s use of outdated programming and database management\nsoftware could prevent the USMS from implementing security enhancements\nsuch as system security patches designed to protect the PTS application\nfrom malicious software. This deficiency also increases the risk that without\ntimely updates, data entered into the PTS could be improperly processed by\nthe application.\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            7. Remove outdated versions of the PTS\xe2\x80\x99s application\n               programming software and database management system\n               from the production environment and replace with current\n               versions that are supported by the vendor.\n\n\n\n\n                                      14\n\x0c       Segregation of Duties\n\n      Segregation of duties is the practice of dividing the steps in a critical\nfunction among different individuals. In a computer processing\nenvironment, such a control assists in the prevention of one individual\nhaving complete control of the input, processing, and output stages of the\ninformation cycle and keeps a single individual from subverting a critical\nprocess.\n\n       Organizations should take steps to ensure that they:\n\n       \xe2\x80\xa2    Segregate incompatible duties and establish related policies;\n       \xe2\x80\xa2    Establish access controls to enforce segregation of duties; and\n       \xe2\x80\xa2    Control personnel activities through formal operating procedures\n            and supervision and review.\n\n     Controls that sustain the proper segregation of duties enable\nmanagement to maintain control over personnel activities. Additionally,\nsegregation of duties requires the establishment of formal operating\nprocedures as well as active supervision and review of these activities.10\n\n      We found that the USMS had adequately established access controls to\nenforce segregation of duties. However, deficiencies were noted within\nother control areas affecting segregation of duties as indicated below:\n\n                                Segregation of Duties\n\n                                                                      VULNERABILITIES\n                       CONTROL AREAS\n                                                                          NOTED\nSegregate incompatible duties and establish related policies                \xe2\x88\x9a\nEstablish access controls to enforce segregation of duties\nControl personnel activities through formal operating\nprocedures and supervision and review                                             \xe2\x88\x9a\n\n       Segregate Incompatible Duties and Establish Related Policies\n\n     Our review of the PTS disclosed that the USMS had not properly\nsegregated incompatible duties and established related policies to ensure\npersonnel understand their roles and responsibilities. Duties and\nresponsibilities associated with the USMS\xe2\x80\x99s PTS system life cycle were not\n       10\n            OMB Circular A-130 defines procedures as detailed steps to be followed by users,\nsystem operations personnel, or others to accomplish a particular task (e.g., preparing new\nuser accounts and assigning the appropriate privileges). It adds that procedures normally\nassist in complying with applicable security policies, standards, and guidelines.\n\n                                            15\n\x0cproperly segregated among staff. At the USMS\xe2\x80\x99s headquarters, only one\nindividual is assigned to code, test, and implement changes to the PTS\napplication. The same individual is authorized to move changes into the\nproduction environment and distribute those changes to the 94 DO servers.\nThis condition allows a single individua l to have complete control over\napplication programming and change control processes that should be\ndivided among two or more individuals.\n\n       The Department\xe2\x80\x99s Order 2640.2E, Chapter 2, specifies the requirement\nfor segregation of duties. The Order states that system duties should be\n\xe2\x80\x9cdefined and documented.\xe2\x80\x9d OMB Circular A-130 discusses the requirement\nfor personnel security and recommends that an application\xe2\x80\x99s security plan\nincorporate measures for the separation of duties. Furthermore, NIST SP\n800-12, \xe2\x80\x9cComputer Security Handbook\xe2\x80\x9d describes separation of duties as\n\xe2\x80\x9cdividing roles and responsibilities so that a single individual cannot subvert\na critical process.\xe2\x80\x9d\n\n      Control Personnel Activities Through Formal Operating\n      Procedures and Supervision and Review\n\n      We found that the USMS has not developed formal policies and\nprocedures to guide PTS users in performing their duties. Although the\nUSMS has published a user manual for the PTS application, the manual falls\nshort of providing formal operating procedures to be followed during critical\nprocesses such as the record creation process and subsequent record\nupdates. These processes directly affect the confidentiality, integrity, and\navailability of the PTS data. Due to the lack of policies and procedures, we\nfound that the record creation process was not standardized at any of the\nDOs we visited and that this condition exists throughout the USMS.\n\n      Following our site visits, we conferred with program managers for the\nPTS application who informed us that USMS headquarters has not provided\nformal operating policies and procedures to standardize the record creation\nprocess nor has it established standards for the collection of source\ninformation used to create prisoner records in the PTS. In the absence of\nformal policies and procedures, USMS headquarters and DOs had not\nformally established compensating controls such as requiring adequate\nsupervision or review of information once a record is created or updated in\nthe system. We observed that all DOs we visited operated differently with\nrespect to the record creation process. We also found that while some DOs\nperformed minimal supervisory reviews, others did not perform any\nsupervisory reviews because they were not required to do so. Supervisory\nreviews, performed on a consistent basis, would help to detect the types of\ncompleteness and accuracy errors we found during our review of PTS data.\n\n                                      16\n\x0c      Without proper segregation of duties, the USMS increases the risks\nthat erroneous or fraudulent transactions could be processed by the PTS and\nthat computer resources could be damaged or destroyed. Additionally,\nwithout the USMS providing adequate controls over personnel activities,\nmistakes within the PTS could occur and go undetected and expose the\napplication and its data to unauthorized use, loss, or modification.\n\n     Recommendation:\n\n            We recommend that the USMS:\n\n            8. Ensure policies and procedures for segregating duties are\n               developed and enforced to provide assurance that distinct\n               functions are performed by different individuals and that no\n               individual has complete control over the PTS\xe2\x80\x99s processing\n               functions.\n\n     Service Continuity\n\n      Service continuity measures provide for the capability to protect\ninformation resources and minimize the risk of unplanned interruptions.\nService continuity controls involve ensuring that when unexpected events\noccur, critical operations continue without interruption or are promptly\nresumed and the organization\xe2\x80\x99s sensitive data are protected. To review the\nadequacy of its service continuity control, an entity should:\n\n      \xe2\x80\xa2   Assess the criticality and sensitivity of computerized operations\n          and identify supporting resources;\n      \xe2\x80\xa2   Take steps to prevent and minimize potential damage and\n          interruption;\n      \xe2\x80\xa2   Develop and document a comprehensive contingency plan; and\n      \xe2\x80\xa2   Test the contingency plan periodically and adjust it as appropriate.\n\n\n\n\n                                      17\n\x0c      The USMS had developed a contingency plan for the PTS application.\nHowever, we found other deficiencies within service continuity controls for\nthe PTS application as indicated below:\n\n                               Service Continuity\n\n                                                          VULNERABILITIES\n                    CONTROL AREAS\n                                                              NOTED\nAssess the criticality and sensitivity of computerized\noperations and identify supporting resources                       \xe2\x88\x9a\nTake steps to prevent and minimize potential damage and\ninterruption                                                       \xe2\x88\x9a\nDevelop and document a comprehensive contingency plan\nTest the contingency plan periodically and adjust it as\nappropriate                                                        \xe2\x88\x9a\n\n      Assess the Criticality and Sensitivity of Computerized\n      Operations and Identify Supporting Resources\n\n       We determined that the USMS successfully assessed the criticality and\nsensitivity of the PTS. However, we found that the USMS was deficient in\nidentifying supporting resources within the DOs, which according to FISCAM\nincludes human resources. Specifically, the USMS had not implemented a\nmeans to identify employees with service continuity responsibilities to users\nwithin the DOs, such as making an emergency contact list available to users\nat each site. Although the USMS maintained emergency contact lists at its\nheadquarters, this deficiency occurred because the USMS did not require the\nDOs to maintain emergency contact lists to identify supporting resources\non-site. Consequently, we found that the majority of the DOs did not\nmaintain lists or make this information available to users.\n\n      NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for Information\nTechnology Systems,\xe2\x80\x9d identifies contact lists as an element of an effective\ncontingency plan and recommends the frequent review of such lists.\n\n      We also found that the USMS did not distribute its contingency plan,\nwhich contains emergency contact information, to supporting resources at\nthe DOs \xe2\x80\x93 although execution of the contingency plan requires support from\nthe system administrators assigned to the DOs. NIST SP 800-34 states that\ncopies of contingency plans are typically provided to persons with service\ncontinuity responsibilities, such as the system administrators at the DOs.\n\n\n\n\n                                        18\n\x0c       We found that the information regarding emergency notifications was\ncontradictory. The USMS PTS contingency plan identifies the Help Desk as\nthe point -of-contact for service disruptions. The plan also states that the\nsystem administrator is responsible for maintaining the PTS servers at each\nfield location and for reporting failures.11 However, the plan presents an\nemergency response scenario wherein the system administrator would notify\nthe Help Desk if the PTS server in the DO were disabled or unavailable. This\nscenario implies that system administrators, who are assigned to the DOs,\nare logically the first responders to users within the DOs and would most\nlikely be contacted in case of emergency.\n\n      The absence of an emergency contact list to identify individuals at the\nDOs with service continuity responsibilities could cause users to become\nconfused as to who should be notified in the event of an emergency,\nespecially during non-duty hours. Additionally, without a copy of the USMS\ncontingency plan for the PTS, individuals identified as supporting resources\ncould become confused as to their service continuity roles and\nresponsibilities.\n\n       In addition to our findings regarding the clear identification of\nsupporting resources, we also found problems with the competence of those\nindividuals involved in emergency response procedures. This occurred\nbecause the USMS had not required or provided sufficient training for\nemployees with service continuity responsibilities.\n\n      NIST SP 800-18 provides guidance for developing security plans for\ninformation technology (IT) systems. The guidance states that responsible\nindividuals should be designated as points-of-contact for a system and that\nthe individuals should be knowledgeable about the system. We reviewed the\nsystem administrator position description and verified that the system\nadministrators are designated as the primary representative at the DOs for\nIT functions and are responsible for responding to emergency situations.\nThe position description specifically states that the employee must possess\nknowledge of IT systems \xe2\x80\x9crecovery\xe2\x80\x9d methods and practices. However, we\nfound that system administrators, who were expected to assist with service\ncontinuity functions, lacked sufficient training to support the restoration of\nthe application and its data files. Many of the system administrators at the\nsites we visited did not know specific characteristics of the system that\nwould enable them to respond appropriately in case of an emergency.\nSpecifically, system administrators did not know the version of the\napplication running on their server or the location of their PTS database.\n\n\n      11\n           According to the USMS PTS Contingency Plan dated June 2003.\n\n                                          19\n\x0c      In the event of an emergency or system abnormality, system\nadministrators who are not properly trained could impede restoration of the\ndata files and software by failing to respond appropriately.\n\n     Recommendation:\n\n           We recommend that the USMS:\n\n           9. Ensure that:\n\n                 a) employees involved in emergency response procedures\n                    are identified and trained in their emergency roles and\n                    responsibilities; and\n\n                 b) emergency contact lists are maintained on-site.\n\n     Take Steps to Prevent and Minimize Potential Damage and\n     Interruption\n\n      Two aspects of preventing and minimizing damage or interruption of\nservice to users of the PTS application include ensuring that: a) data and\nprogram backup procedures have been implemented; and b) staff have been\ntrained to respond to emergencies.\n\n       Our review disclosed that backup tapes created at three of the DOs we\nvisited were not consistently rotated off-site. This occurred because the\nUSMS did not take steps to prevent and minimize potential damage and\ninterruption by securing backup data away from the processing facility.\nAdditionally, the USMS did not enforce its own guidelines for backup\noperations. The PTS security plan addresses contingency planning and\nstates that backups should be created nightly and transferred off-site once a\nmonth.\n\n      NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for Information\nTechnology Systems,\xe2\x80\x9d addresses backup methods. The guidance requires\nthat backup policies be established and backup data stored off-site.\n\n      Consequently, the USMS may lose the capability to restore the PTS\xe2\x80\x99s\napplication software and data by relying on insufficient preventative\nmeasures to mitigate service disruptions if tapes are not properly secured at\nan off-site location.\n\n     We also found that the USMS did not effectively ensure that staff had\nbeen trained to respond to emergencies, another aspect of minimizing\n\n                                     20\n\x0cservice interruptions. As discussed in the previous section regarding\nidentifying supporting resources, we found that system administrators\nlacked sufficient knowledge of their system environment to provide support\nof recovery functions and that copies of the contingency plan that specified\nemergency roles and responsibilities had not been distributed to the DOs.\nTherefore, we recommended the USMS provide training for employees\ninvolved in emergency response procedures in Recommendation 9.\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            10. Ensure the PTS\xe2\x80\x99s backup tapes are properly rotated and\n                stored at an off-site location.\n\n      Test the Contingency Plan Periodically and Adjust It As\n      Appropriate\n\n      Although the USMS has developed and documented a contingency plan\nfor the PTS application, it has not tested the plan. The Department\xe2\x80\x99s Order\n2640.2E, Chapter 1, sets standards for contingency planning. It directs\ncomponents to develop a contingency plan and test the plan annually.\nFurthermore, OMB Circular A-130 advises that untested contingency plans\n\xe2\x80\x9cmay create a false sense of ability to recover in a timely manner.\xe2\x80\x9d\n\n      The USMS places the PTS application and its data at risk by having an\nuntested contingency plan for PTS. This deficiency could prevent the USMS\nfrom achieving timely restoration of critical PTS system information and\ndiminish the assurance for continuity of operations in the event of a disaster.\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            11. Perform annual testing of the PTS contingency plan as\n                required by the Department.\n\n2. APPLICATION CONTROLS\n\n       Application controls are the structures, policies, and procedures that\napply to application systems. Application controls include both the routines\nbuilt into the computer program code and the external safeguards provided\nby users. External safeguards include manual measures performed by the\n\n\n                                      21\n\x0cuser such as reviewing output reports to determine that the computer\nprocesses data accurately.\n\n      Application controls help make certain that transactions are valid,\nproperly authorized, and completely and accurately processed by the\ncomputer during all three phases of a processing cycle \xe2\x80\x93 input, processing,\nand output. At the time of input, data should be authorized, converted to an\nautomated form, and entered into the system. This transaction is expected\nto be accurate, complete, and occur in a timely manner. For the processing\nphase, the computer accepts the data entered and files are updated in the\nsystem\xe2\x80\x99s database. Lastly, in the output phase, files and reports are\ngenerated by the system and the results are expected to yield an accurate\nprocessing of the data entered into the system. Controls should be in place\nto ensure that system outputs are controlled and distributed only to\nauthorized persons.\n\n      To assess the effectiveness of application controls for the PTS, we\nreviewed authorization, completeness, accuracy, and integrity of processing\ncontrols. We identified deficiencies within all of the application control areas.\n\n      Authorization Controls\n\n      Authorization controls are designed to ensure the validity of system\ntransactions, and that the transactions performed represent an event that\nactually occurred during a given period. These controls regulate access to\nnetwork resources and ensure that data is properly converted to an\nautomated form so it can be processed accurately, completely, and timely.\n\n      Effective authorization controls should protect the data input process\nand include the following critical elements:\n\n      \xe2\x80\xa2   All data are authorized before entering the application system;\n      \xe2\x80\xa2   Restrict data entry terminals to authorized users for authorized\n          purposes; and\n      \xe2\x80\xa2   Master files and exception reporting help ensure all data processed\n          are authorized.\n\n\n\n\n                                       22\n\x0c     The USMS effectively used master files to help ensure that all data are\nprocessed. However, the following deficiencies were noted as indicated\nbelow:\n\n                            Authorization Controls\n\n                                                                   VULNERABILITIES\n                      CONTROL AREAS\n                                                                       NOTED\nAll data are authorized before entering the application system           \xe2\x88\x9a\nRestrict data entry terminals to authorized users for authorized\npurposes                                                                  \xe2\x88\x9a\nMaster files and exception reporting help ensure all data are\nprocessed and are authorized\n\n\n      All Data Are Authorized Before Entering the Application System\n\n       In order to ensure that all data are authorized before entering the\napplication system, the FISCAM recommends that entities should implement\nmeasures to: a) control source documents and require authorizing\nsignatures; and b) ensure supervisory reviews of data occur before entering\nthe application system. The guidance acknowledges that paper source\ndocuments continue to play an important role during the data collection\nprocess. It cautions, however, that source documents should be controlled\nat the earliest point in the process and the data should be approved for use\nprior to entering the system. FISCAM also outlines requirements for\nperforming independent or supervisory reviews of data regardless of the\nsource. Our review disclosed deficiencies within both areas designed to\nensure the proper authorization of data.\n\n      Control source documents and require authorizing signatures\n\n       We found that the USMS had not established controls over source\ndocuments, nor provided for their proper authorization. The GAO defines a\nsource document as information that serves as the basis for the entry of\ndata into a computer system. At all sites visited, we experienced difficulty in\nverifying the validity of the transactions we reviewed on PTS output reports\ndue to the absence of source documents or because of inconsistencies with\nthe collection and authorization of source documents. Therefore, the USMS\nwas not able to attest to the validity of many transactions entered into the\nPTS or support the actions taken by its employees.\n\n      This condition occurred because the USMS had not formally\nestablished baseline requirements for source documents to provide a\n\n                                        23\n\x0creasonable assurance that critical identifying information is collected from a\nreliable source and is properly authorized. Additionally, the USMS had not\nimplemented effective controls to ensure the proper authorization of data\nobtained from source documents prior to that data being used in PTS\ntransactions.\n\n      Because baseline requirements for source documents had not been\nestablished by the USMS, we consulted the USMS employees performing\nrecord creation duties at the sites visited to determine what documents were\nused as source documents during the record creation process for the PTS.\nAccording to these employees, \xe2\x80\x9ckey\xe2\x80\x9d source documents us ed to support the\nrecord creation process included: the individual custody and detention form\n(USM-129); FBI fingerprints card (FD-129); intake photo; and medical form\n(USM-552).\n\n       However, we found that because the USMS did not require employees\nto collect these source documents on a consistent basis, some DOs were not\ncreating records based on documentation, but rather on interviews with\nprisoners. This occurred because the USMS had not formally established\nbaseline requirements for source documents, such as the ones identified by\nUSMS personnel, to provide a reasonable assurance that critical identifying\ninformation is collected from a reliable source and is properly authorized.\n\n       The USMS Cellblock Operations Directive advises employees to\ninterview the prisoner during the initial intake process and collect identifying,\narrest, prosecution, and medical information from the prisoner. The\ndirective instructs employees to then enter the information obtained from\nthe prisoner into the PTS to create a prisoner record. Under these\nconditions, the USMS is basing the reliability of the information collected on\nthe integrity of the prisoner. Furthermore, the directive does not require\nthat information be approved by an authorizing official or verified from other\npresumably more reliable sources such as court documents or forms\ncompleted by arresting officers.\n\n      OMB Circular A-130 advises federal agencies of the requirement for\nrecords management and states that agencies should \xe2\x80\x9ccreate and keep\nadequate and proper documentation of their activities.\xe2\x80\x9d 12 OMB also warns\nthat the lack of sufficient record keeping weakens agencies\xe2\x80\x99 ability to\n\n       12\n            According to OMB, the term "records management " involves those managerial\nactivities that support records creation, records maintenance and use, and records\ndisposition. Records management allows agencies to achieve adequate and proper\ndocumentation of the policies and transactions of the federal government and effective and\neconomical management of agency operations. (44 U.S.C. 2901(2))\n\n\n                                            24\n\x0cresponsibly perform their missions. OMB emphasizes the importance of\nrecord-keeping activities in each stage of a system\xe2\x80\x99s life cycle and directs\nagencies to document their procedures for information collection.\n\n      By failing to establish standards and controls over source documents\nand provide for the proper authorization of data, the USMS is jeopardizing\nthe reliability of information collected during the record creation process.\nThe reliability of data that serves as the basis for creating records in the PTS\nhas a direct impact on the confidentiality, availability, and integrity of the\ndata within the PTS.\n\n       Throughout our review, we also found inconsistencies with the\ncollection of source documents, the authorization of data, and the\nmaintenance of source documents within each prisoner\xe2\x80\x99s file folder. We\nnoted that each DO essentially performed data collection, record creation,\nand file maintenance functions differently. These inconsistent practices\nresulted in the deficiencies discovered during our assessment of the PTS\xe2\x80\x99s\ndata integrity. Specifically, we discovered findings within the PTS\xe2\x80\x99s\ncompleteness of information and accuracy of information. This occurred\nbecause the USMS had not standardized the record creation process\nthroughout the USMS to aid in establishing control over source documents.\n\n       The GAO\xe2\x80\x99s guidance for assessing data reliability emphasizes the need\nfor organizations to establish and adhere to standardized rules for the\ncollection and use of data in computer processing environments.\nAdditionally, adherence to the consistent interpretation of data rules, or the\nuse of standardized processes, contributes to data reliability. The guidance\nstresses that standardization and consistency are particularly important to\nsystems where data is entered at multiple sites, such as the PTS. The\nguidance asserts \xe2\x80\x9cinconsistent interpretation of data rules can lead to data\nthat, taken as a whole, are unreliable.\xe2\x80\x9d Failure to establish and enforce\nstandardized procedures during critical processes, such as the record\ncreation process for the PTS, could negatively affect the reliability of data\nwithin the PTS and impact the mission of the USMS.\n\n       We determined that the USMS\xe2\x80\x99s cellblock directive and user manual do\nnot provide adequate data rules for employees or set standards for\nconsistency during the record creation process. In the case of the PTS,\nformal standards would ensure, at a minimum, that each prisoner file folder\ncontains photographs, medical information, and fingerprint cards; and that\ncritical identifying information is collected from a reliable source such as a\ncourt document or agent arrest form. These standards could also provide\nreasonable assurance against the misidentification or mishandling of a\nprisoner due to inaccurate, unauthorized, or unreliable data.\n\n                                      25\n\x0c      Recommendation:\n\n            We recommend that the USMS:\n\n            12. Develop policies and procedures to:\n\n                  a)   establish key source document requirements; and\n\n                  b)   standardize the record creation process throughout\n                       the USMS for the PTS.\n\n      Ensure supervisory reviews of data occur before entering the\n      application system\n\n       We also found that supervisory or independent reviews of source\ndocument information were not being performed on a consistent basis prior\nto the information being entered into the PTS. This was evidenced by the\nfact that handwritten \xe2\x80\x9cIndividual Custody and Detention\xe2\x80\x9d (USM-129) forms,\nwhen used, did not always contain an authorizing signature. We observed\nthat some DOs provided supervisory reviews during the record creation\nprocess while others did not. In addition, our review of prisoner file folders\nfor accuracy of information disclosed discrepancies between information on\nsource documents and information on the PTS output reports. We\ndetermined that these inaccuracies could have been prevented through the\nuse of compensating controls such as supervisory reviews. This condition\nexisted because the USMS did not require DOs to perform supervisory\nreviews of source documents and transactions.\n\n      In the absence of policies and procedures, supervisory reviews serve\nas a compensating control to ensure the proper authorization of source\ndocuments and transactions. OMB Ci rcular A-130 prescribes the use of\ncontrols that monitor individual accountability and prevent and detect harm\ncaused by \xe2\x80\x9cauthorized individuals engaged in improper activities, whether\nintentional or accidental.\xe2\x80\x9d\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            13. Implement a control, such as requiring the supervisory\n                authorization of data, to ensure that before information is\n                entered into the system, transactions are supported by\n                properly authorized source documents.\n\n                                      26\n\x0c      Restrict Data Entry Terminals to Authorized Users for\n      Authorized Purposes\n\n      The USMS has not implemented automated controls to trace actions on\nthe system or ensure that data entry terminals are restricted to authorized\nusers for authorized purposes. In our judgment, this weakness exists\nbecause the USMS does not maintain sufficient audit trails for the PTS\napplication or require exception reports generated from audit logs. These\nreports could help identify unauthorized activities such as excessive errors\nmade by an employee, record deletions, or attempts to gain access to\nresources to which the user is not authorized.\n\n       The Department\xe2\x80\x99s Order 2640.2E, Chapter 2, \xe2\x80\x9cSecurity Requirements\xe2\x80\x9d\n(Accountability and Audit Trails), requires that audit logs be maintained and\nreviewed for activities that could modify, bypass, or negate the system\'s\nsecurity safeguards. Audit logs provide a measure of assurance to enforce\nindividual user accountability.\n\n       The USMS has not implemented automated controls to trace the\noccurrence of unauthorized activities or look for patterns of behavior by\nusers of the PTS application. Therefore, USMS management has reduced its\nability to monitor unauthorized attempts by users who have access to\nsensitive data above their access levels, unauthorized changes or deletions\nto prisoner records, or activities of users with privileged accounts. These\nvulnerabilities could impact the integrity of data within the PTS application.\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            14. Maintain and review audit trails for the PTS application as\n                required by the Department.\n\n      Completeness Controls\n\n       Completeness controls are designed to ensure that all authorized\ntransactions are processed and completed prior to being entered into the\ncomputer. These controls include the use of record counts and control\ntotals, computer sequence checking, computer matching of transaction data\nwith data in a master or suspense file, and checking of reports for\ntransaction data.\n\n\n\n                                     27\n\x0c      Completeness controls in an application provide safeguards for\nensuring that:\n\n       \xe2\x80\xa2   All aut horized transactions are entered into and processed by the\n           computer; and\n       \xe2\x80\xa2   Reconciliations are performed to verify data completeness.\n\n      Our review of the USMS\xe2\x80\x99s completeness controls for the PTS disclosed\na deficiency as indicated in the following chart:\n\n                              Completeness Controls\n\n                                                                VULNERABILITIES\n                       CONTROL AREAS                                NOTED\nAll authorized transactions are entered into and processed by\nthe computer                                                             \xe2\x88\x9a\nReconciliations are performed to verify data completeness\n\n\n       All Authorized Transactions Are Entered Into and Processed by\n       the Computer\n\n       In our review of completeness controls, we found that mechanisms\nbuilt into the PTS application to perform computer sequence checking were\ninadequate for the PTS environment. This condition exists because the\ncurrent configuration of the PTS application is restrictive in that the default\nsystem configuration confines sequence checking to the information\ncontained in the local database and does not automatically extend the\nsearch to other DO databases.\n\n      The USMS Cellblock Operations Directive dictates that a prisoner will\nbe assigned only one USMS number throughout their history with the\nagency. This would require that all 94 DO databases be searched to\ndetermine if the prisoner being processed has an existing USMS number\nassigned by another district before a district issued a USMS number.\n\n      The PTS application\xe2\x80\x99s current software configuration is not conducive\nto automatically facilitate global database searches for prisoners\xe2\x80\x99 USMS\ntracking numbers and name information because the USMS maintains a\nseparate PTS database at each of its 94 DOs. Under the current\nconfiguration, PTS users can (by default) search only their local database to\ndetermine if a prisoner has been previously assigned a USMS number in\ntheir district. The PTS application is not programmed to automatically\nextend the search to other DO databases.\n\n\n                                            28\n\x0c      In order to determine if a prisoner has an existing USMS number that\nwas assigned in another district, the PTS user must manually connect to the\nPTS database where the original USMS number and prisoner information is\nmaintained. In the absence of knowing where the USMS number originated,\nthe PTS user would have to manually perform 93 additional database\nsearches to determine if a USMS number exists for the prisoner in another\nDO.\n\n       In its own directive regarding cellblock operations, the USMS advises\nPTS users to exit the application and go to the Federal Bureau of Prisons\xe2\x80\x99s\n(BOP) SENTRY application to search for the existence of a previously\nassigned USMS number. 13 This workaround solution is impractical because it\nforces PTS users to seek USMS information outside their own component\nthat should be readily available on USMS systems. Additionally, not all users\nof the PTS application have access to BOP SENTRY; therefore, those users\nare restricted from performing the search within SENTRY to check for a pre-\nexisting USMS number before assigning a new USMS number.\n\n      The current configuration of the PTS application constrains a name\nsearch to the local database. This constraint threatens compliance with the\nUSMS\xe2\x80\x99s own directives regarding multiple USMS numbers. Additionally, it\ndoes not provide adequate assurance to the USMS that multiple USMS\nnumbers will not be assigned to the same individual.\n\n        Recommendation:\n\n              We recommend the USMS:\n\n              15. Ensure that the PTS application is modified to perform\n                  automatic global database searches of all its DO databases\n                  to prevent the assignment of more than one USMS number\n                  to the same prisoner.\n\n        Accuracy Controls\n\n      Accuracy controls are implemented to ensure that data recording is\nvalid and accurate in order to produce reliable results. The implementation\nof these controls includes well-designed data entry processes, easy-to-follow\ndata entry screens, limit and reasonableness checks, and validation of\n\n   13\n        The OIG conducted a Review of Select Application Controls for the BOP SENTRY\napplication in its Audit Report No. 03-25, July 2003. SENTRY is BOP\xe2\x80\x99s primary mission\nsupport database. The system collects, maintains, and tracks critical inmate information,\nincluding inmate location, medical history, behavior history, and release data.\n\n                                            29\n\x0coverride actions for appropriateness and correctness. Without accuracy\ncontrols, invalid data may enter the system and produce unreliable results.\n\n      Entities can take steps to strengthen the effectiveness of accuracy\ncontrols by making sure that:\n\n      \xe2\x80\xa2   Data entry design features contribute to data accuracy;\n      \xe2\x80\xa2   Data validation and editing are performed to identify erroneous\n          data;\n      \xe2\x80\xa2   Erroneous data are captured, reported, investigated, and corrected;\n          and\n      \xe2\x80\xa2   Output reports are reviewed to help maintain data accuracy and\n          validity.\n\n     We determined that the PTS\xe2\x80\x99s data entry design and data validation\nand editing features were adequate. However, our review identified\nweaknesses with accuracy controls within the PTS application as indicated\nbelow:\n\n                                     Accuracy Controls\n\n                                                                       VULNERABILITIES\n                        CONTROL AREAS\n                                                                           NOTED\nData entry design features contribute to data accuracy\nData validation and editing are performed to identify erroneous data\nErroneous data are captured, reported, investigated, and\ncorrected                                                                     \xe2\x88\x9a\nOutput reports are reviewed to help maintain data accuracy\nand validity                                                                  \xe2\x88\x9a\n\n      Erroneous Data Are Captured, Reported, Investigated, and\n      Corrected\n\n      Our review of accuracy controls for the PTS application disclosed that\nerroneous data within the system was not identified, reported, investigated,\nnor corrected. Information on erroneous data is useful in forming a basis\nfrom which management can review and analyze the levels and types of\ntransaction errors and formulate plans for corrective action. However, we\nfound that information on rejected transactions and erroneous data was not\nanalyzed because the USMS management did not require erroneous data to\nbe collected and reported back for investigation and correction.\n\n     NIST SP 800-12, Chapter 4, \xe2\x80\x9cCommon Threats,\xe2\x80\x9d warns that errors and\nomissions can threaten data and system integrity. It classifies some errors\n\n                                            30\n\x0cas threats, because users frequently make errors that result in security\nproblems. The guidance recommends that because application programs\ncannot detect all types of input errors or omissions, erroneous data should\nbe reviewed to determine if errors cause threats to a system or result in\nvulnerabilities.\n\n      The NIST Federal Information Processing Standards Publication 73,\nSection 3.1.3, states that checking of input data during processing and\nvalidation of data that is generated by the application system are essential\nfor assuring data integrity. Errors in PTS data should be detected and\ncorrected as soon as possible in order to prevent the propagation of invalid\ndata throughout the system and the potential contamination of the system\napplication.\n\n      Without the USMS effectively implementing measures to strengthen\naccuracy controls, invalid data may be entered in the system, be processed\nby the system, and cause production results that are unreliable to the\nsystem users. Our review of the PTS output reports for accuracy of the\ninformation reflects the existence of errors and omissions that accuracy\ncontrols are designed to detect.\n\n      Recommendation:\n\n            We recommend that the USMS:\n\n            16. Ensure erroneous data are collected and reported back to\n                USMS management for investigation and correction.\n\n      Output Reports Are Reviewed to Help Maintain Data Accuracy\n      and Validity\n\n      A critical element of accuracy controls includes the review of output\nreports to help maintain data accuracy and validity. An aspect of enforcing\nthe review of output reports consists of maintaining control over system\noutput production and distribution. We determined that the controls over\nsystem output production and distribution for the PTS application were weak\nbecause the USMS did not enforce strict controls to prevent the exposure of\nsensitive PTS output to non-authorized employees.\n\n      The USMS allows authorized PTS users and non-authorized USMS\nemployees to share the same network printers. This poses a problem with\nthe district office\xe2\x80\x99s ability to adequately protect sensitive output production\nand distribution from non-authorized employees who have physical access to\nnetwork printers. We also observed that cover pages are not used to\n\n                                      31\n\x0csafeguard sensitive PTS data from viewing by unauthorized individuals when\nthe output is printed on network printers. Cover pages could serve as a\nmitigating control to identify the owner of the printed output on shared\nprinters.\n\n       NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls\xe2\x80\x9d provides guidance\nfor protecting sensitive information to prevent the unauthorized receipt of\npaper media. It cautions that entities should provide adequate supervision\nof personnel and develop detailed procedures to ensure that unauthorized\nindividuals cannot read, copy, alter, or destroy information generated by the\ninformation system in printed form. Additionally, the guidance stresses\nassurances that \xe2\x80\x9cOutput from the information system is given only to\nauthorized users.\xe2\x80\x9d\n\n      The Department\xe2\x80\x99s Order 2640.2E, \xe2\x80\x9cAccess Control,\xe2\x80\x9d requires that users\nonly have access to information necessary to perform their duties and no\nmore. Moreover, it requires that controls be in place to ensure that users\ncan only access resources critical to the accomplishment of their duties.\n\n      OMB Circular A-130 also provides requirements for information\nsafeguards. It states that information protected by the Privacy Act of 1974\nshould be collected, maintained, and protected to prevent disclosure of\npersonal information and intrusion into the privacy of individuals. The\nCircular holds agencies responsible to see that appropriate information\nsafeguards are instituted and that employees are trained in the protection of\nprivacy.\n\n       By allowing authorized PTS users to print sensitive PTS output on\nnetwork printers shared by non-authorized USMS employees, the USMS is\nneglecting critical physical security measures that protect against\nunauthorized access. This vulnerability poses a threat to the USMS\xe2\x80\x99s ability\nto comply with federal regulations that require protection of privacy\ninformation from unauthorized disclosure. It also undermines the USMS\xe2\x80\x99s\nefforts to effectively enforce appropriate access control and segregation of\nduties.\n\n     Recommendation:\n\n           We recommend the USMS:\n\n           17. Ensure that PTS output reports containing sensitive privacy\n               information are protected from unauthorized persons.\n\n\n\n                                     32\n\x0c      Controls Over Integrity of Processing and Data Files\n\n      Controls over integrity of processing and data files are used to ensure\nthat the current versions of production programs and data files are made\navailable to users during system processing. These controls prevent users\nfrom accessing outdated versions of software that may be present in the\nproduction environment. Controls over integrity of processing and data files\ninclude:\n\n      \xe2\x80\xa2   Procedures that ensure that the current version of production\n          programs and data files are used during processing;\n      \xe2\x80\xa2   Programs with routines that verify that the proper version of the\n          computer file is used during processing;\n      \xe2\x80\xa2   Programs with routines that check for internal file header labels\n          before processing; and\n      \xe2\x80\xa2   Mechanisms within the application that protect against concurrent\n          file updates.\n\n      We found that procedures existed to ensure that the current versions\nof production programs, data files, and computer files are used during\nprocessing and that programs check internal file header labels before\nprocessing. However, we discovered the following deficiency in the control\narea indicated below:\n\n           Controls Over Integrity of Processing and Data Files\n\n                                                                     VULNERABILITIES\n                       CONTROL AREAS\n                                                                         NOTED\nProcedures ensure that the current version of production programs\nand data files are used during processing\nPrograms include routines to verify that the proper version of the\ncomputer files is used during processing\nPrograms include routines for checking internal file header labels\nbefore processing\nMechanisms within the application protect against concurrent\nfile updates                                                                \xe2\x88\x9a\n\n      Mechanisms Within the Application Protect Against Concurrent\n      File Updates\n\n      Our review of the PTS application disclosed deficiencies within the\ncontrols that prevent concurrent updates of files. According to USMS\nheadquarters, the PTS application is distributed to each of the 94 DOs.\nUSMS headquarters also asserted that system administrators at each site\ncannot modify the PTS\xe2\x80\x99s functionality and that the application should\n\n                                          33\n\x0cfunction uniformly. However, we discovered malfunctions with the controls\nbuilt into the application to prevent concurrent file updates. We performed\ntesting at all DO locations visited, and at four locations we observed that the\ncontrols against concurrent updates did not work consistently. PTS users\nwere able to access the same prisoner record and make changes to the\ndatabase simultaneously.\n\n      OMB Circular A-130 recommends that entities periodically review\nsecurity controls and seek ways to improve security such as utilizing\ntechnical tools to look for security problems and installing the latest software\npatches. NIST SP 800-40 specifically addresses procedures for handling\nsecurity patches and confirms that many organizations fail to keep software\nupdated and patched. It warns that not patching information systems in a\ntimely manner can impact operations and degrade the confidentiality,\navailability, and integrity of a system\xe2\x80\x99s information.\n\n      Weaknesses with controls that protect against the concurrent update\nof records within an application threaten the integrity of its data. When\nmultiple users of the application can access the same prisoner record and\nmake changes to the database simultaneously, there is no assurance that\nthe information in the record is correct or that the application has processed\nthe information properly.\n\n      It appears that this weakness occurred because the USMS did not\nensure that all of its DOs received identical versions of the PTS application or\nthat the existing versions were not patched in a timely manner. Specifically,\nUSMS should confirm that the version of the PTS application in production at\neach site contains the full security controls, including those designed to\nprevent simultaneous updates to protect the integrity of data.\n\n      Recommendation:\n\n            We recommend the USMS:\n\n            18. Ensure that each installation of the application protects\n                against simultaneous updates of the same record by more\n                than one end-user.\n\n3. DATA INTEGRITY TESTING\n\n      The goal of maintaining data integrity is the assurance that\ninformation processed by the computer is reasonably complete and accurate\nand meets the needs of the organization. Completeness and accuracy of\ninformation reflect how well data integrity is maintained.\n\n                                      34\n\x0c      \xe2\x80\xa2   Completeness of information. This requires that the PTS records\n          contain all necessary data elements and transactions are supported\n          by source documents; and\n      \xe2\x80\xa2   Accuracy of information. Information on the PTS output reports\n          reflect the data entered into the PTS from source documents.\n\n       Our review of the factors that contribute to data integrity disclosed\ndeficiencies within the areas indicated below:\n\n                    Data Integrity Assessment Factors\n\n                                                              VULNERABILITIES\n                                                                  NOTED\nCompleteness of Information\nRecords contain all of the data elements and documents used\n                                                                        \xe2\x88\x9a\nas support for the transactions\nAccuracy of Information\nOutput reports reflect the data obtained from the source                \xe2\x88\x9a\ndocuments\n\n\n      Completeness of Information\n\n      Completeness is achieved when data elements are processed as\nintended and source documents are maintained to support the results of\nprocessing. We evaluated the completeness of prisoner file folders to\ndetermine if PTS data were properly authorized and supported by adequate\nand proper documentation. Our review for completeness of information\nfocused on the existence of key source documents in prisoner records as\ndiscussed earlier in the authorization controls section of this report.\n\n      Records contain all of the data elements and documents used\n      as support for the transactions\n\n      We found that many of the prisoner file folders reviewed were missing\ninformation used to validate data entry transactions and to substantiate the\nactions taken by USMS personnel. This occurred because the USMS did not\nestablish and implement standards regarding data collection and comply\nwith federal records retention requirements.\n\n\n\n\n                                      35\n\x0c      The chart below details the number of occurrences for source\ndocument discrepancies found during the review of 25 records at each site,\nand the percentages were calculated against the total number of records\n(200) reviewed at all sites.\n\n               PTS\xe2\x80\x99s Prisoner File Folder Completeness Analysis\n\n                         Missing                           Missing\n                         Original                        Fingerprint      Missing\n       Sites            USM-129 &             Missing       Cards       USM-552/553\n      Visited              312                Photos      (FD-129)     (medical form)\n             E/VA           7                    3           1               2\n           DC/DC            2                    5           2              22\n             S/NY           2                    1           2               4\n             E/PA           5                   10           1              24\n             S/TX           7                    3           3              11\n              N/IL          5                    0           0              24\n             S/FL           1                    0           0               3\n            D/AZ            9                    3           6               2\n          Totals:         38                   25           15              92\n    Percentage:           19%                  13%           8%            46%\n  Source:   The OIG\xe2\x80\x99s analysis of record completeness.\n\n\n       OMB Circular A-130 outlines an information management policy that\nincludes records retention requirements and advises agencies to record\nsufficient information to ensure the management and accountability of its\nprograms. Additionally, the guidance directs agencies to incorporate records\nmanagement functions into a system\xe2\x80\x99s SDLC that include maintaining\nadequate and proper documentation of agency activities. Furthermore, OMB\ndirects agencies to provide training and guidance to all employees regarding\ntheir records management responsibilities, especially with respect to\nmaintaining adequate and proper documentation of program activities to\nprotect the federal government\xe2\x80\x99s legal and financial interests.\n\n       Incomplete prisoner file folders pose a significant risk to the USMS\xe2\x80\x99s\nability to validate PTS transactions, verify information, and justify the\nactions of its employees.\n\n      Recommendation:\n\n               We recommend the USMS:\n\n               19. Ensure that adequate and proper source documents are\n                   maintained in prisoner file folders to substantiate employee\n                   activities.\n\n\n                                                    36\n\x0c      Accuracy of Information\n\n      Information is considered accurate if the results of computer\nprocessing reflect the contents of source documents. Accuracy of\ninformation can be verified by the periodic spot-checking of system output\nreports to validate and confirm that the application has processed the data\nentered into it correctly.\n\n      Output reports reflect the data obtained from the source\n      documents\n\n       System output is evidence of the results of the input and processing\nfunctions of an application and reflects the effectiveness of such operations.\nIf reviewed, output reports help to maintain the accuracy and validity of data\nwithin a system and determine the completeness of processing. The USMS\xe2\x80\x99\nform 129 (USM-129) is the PTS application\xe2\x80\x99s output report resulting from\nprisoner record creation and subsequent record updates.\n\n      After performing the analysis for the existence of key source\ndocuments used to create and update prisoner records, we reviewed the\nsame prisoner file folders for accuracy of information. This review included\nthe manual inspection of source documents contained in prisoner file folders.\nThe source documents were then compared against the information\nappearing on the prisoner\xe2\x80\x99s USM-129 form (PTS\xe2\x80\x99s output report) to determine\ndata accuracy.\n\n       Our review of output reports produced by the PTS application disclosed\ndiscrepancies in the accuracy of information. We found that prisoner\nidentifying information, such as a prisoner\xe2\x80\x99s date of birth (DOB) and social\nsecurity number (SSN), appearing on the PTS output reports did not always\nmatch the source documents contained in the prisoner\xe2\x80\x99s file folder.\nAdditionally, critical dates, such as a prisoner\xe2\x80\x99s custody date, did not always\ncorrelate with dates on source documents in the prisoner file folders. Such\ndates are used by the USMS to calculate expenditures for reimbursements to\ncontract jail facilities.\n\n      We noted common deficiencies in eight areas. These areas included:\n\n      \xe2\x80\xa2   Incorrect DOB;\n      \xe2\x80\xa2   Incorrect SSN;\n      \xe2\x80\xa2   Misfiled documents;\n      \xe2\x80\xa2   Concurrent jail days;\n      \xe2\x80\xa2   Misnumbered file jackets (prisoner\xe2\x80\x99s file folder);\n      \xe2\x80\xa2   Missing transactions;\n      \xe2\x80\xa2   Wrong dates (such as custody and sentence dates); and\n      \xe2\x80\xa2   No supporting documentation.\n                                      37\n\x0c            The chart below illustrates the results of our review of the PTS\xe2\x80\x99s output\n      reports. The numbers in each column represent the number of inaccuracies\n      found during the review of 25 records at each site. The percentages were\n      calculated against the total number of records (200) reviewed.\n\n                                      Accuracy of PTS\xe2\x80\x99s Output Reports\n\n                   Incorrect   Incorrect    Misfiled   Concurrent   Misnumbered       Missing      Wrong   No Supporting\n                     DOB         SSN       Documents    Jail Days    File Jackets   Transactions   Dates   Documentation\n\n          E/VA        2           1            1           1             0               7          8          18\n        DC/DC         1           2            0           1             1               7         10          23\n          S/NY        0           0            0           0             0               1          8            5\n          E/PA        0           1            2           0             3               0          2          21\n          S/TX        4           0            0           0             3               0         12          20\n           N/IL       1           1            0           0             0               0          7          25\n          S/FL        0           1            0           0             5               2          7          24\n          D/AZ        1           0            1           0             0               1          1          15\n         Total:       9           6            4           2           12              18          55         151\n Percentage:          5%          3%           2%          1%            6%             9%         28%         76%\nSource: The OIG\xe2\x80\x99s analysis of data accuracy.\n\n\n      DOB and SSN information. This information is used to distinguish\n      between prisoners with identical names. We found instances where\n      documents in the prisoners\xe2\x80\x99 file folders did not match the DOB or SSN\n      information appearing on the PTS\xe2\x80\x99s USM-129 report.\n\n      Misfiled documents. We discovered documentation pertaining to one\n      USMS prisoner erroneously filed inside another prisoner\xe2\x80\x99s file folder.\n      Prisoner file folders contain records of court proceedings such as writs,14\n      judgment and commitment orders, and warrants that are used to initiate\n      and substantiate updates to prisoner records. A document filed in the wrong\n      prisoner\xe2\x80\x99s file folder could delay or prevent the processing of a time-sensitive\n      prisoner action such as a release, movement, or designation to a BOP\n      facility.\n\n      Concurrent jail days. These represent instances where entries in the\n      chronological prisoner history section of the USM-129 indicated that a\n      prisoner was housed at two different jail facilities on the same dates. USMS\n      uses the number of jail days to calculate monthly obligations to state and\n      local contract jail facilities. Therefore, jail day discrepancies could negatively\n\n              14\n                 Writs are formal legal documents that order or prohibit some action. For\n      exa mple, a \xe2\x80\x9cWrit Ad Testificandum\xe2\x80\x9d is a legal document ordering a witness to testify in a\n      court proceeding.\n\n\n                                                            38\n\x0cimpact the accurate payment of bills causing the USMS to pay for contract\njail services it did not receive.\n\nMisnumbered file jackets. At one site visited, we experienced difficulty\nlocating a prisoner\xe2\x80\x99s file folder because the USMS number on the file folder\ndid not match the prisoner\xe2\x80\x99s USMS number. We also observed what\nappeared to be a re-constructed file folder because the prisoner\xe2\x80\x99s USM-129\nshowed substantial confinement history, but the file folder had little or no\ncontents and was missing the minimal source documents such as\nphotographs and fingerprint cards. An error of this nature could prevent\nUSMS personnel from locating records in a timely manner or result in the\nneed to \xe2\x80\x9creconstruct\xe2\x80\x9d a prisoner file folder for the prisoner in custody.\n\nMissing transactions. We identified occurrences where documentation\nexisted in the prisoner\xe2\x80\x99s file folder that changed the prisoner\xe2\x80\x99s status, but\nthe transaction was not entered into the PTS. Specifically, the prisoner\xe2\x80\x99s file\nfolder contained documentation that would trigger an update action such as\nthe receipt of a judgment and commitment order, but the appropriate\ntransaction to update the record was not entered into the PTS (WT-J/C).15\nAgain, this type of discrepancy could prevent or delay a time-sensitive\ntransaction from being entered into the PTS.\n\nWrong dates. These were identified when comparing the PTS\xe2\x80\x99s system\noutput (USM-129 report) with the agent\xe2\x80\x99s arrest form source document.\nIncorrect entries were identified for critical dates \xe2\x80\x93 the prisoner\xe2\x80\x99s arrest date\nand USMS custody date. Discrepancies with the prisoner\xe2\x80\x99s arrest date and\nUSMS custody date directly affect the credit a prisoner receives for time\nserved and also factor in the calculation for jail days used to reconcile jail\nbills and other expenditures.\n\nNo supporting documentation. At all sites visited, we found that\nprisoners\xe2\x80\x99 file folders were missing documents that were needed to\nsubstantiate record update actions taken by the USMS personnel. In these\ninstances, we determined that documentation did not exist for many of the\nstatus code transactions and the majority of the facility history transactions\nthat chronicled prisoner movements. Specifically, key documents, such as\nprisoner manifest forms, were not consistently maintained in the prisoner\xe2\x80\x99s\n\n\n\n       15\n            The code \xe2\x80\x9cWT-J/C\xe2\x80\x9d is the status code for a sentenced prisoner for whom the\ndistrict has not yet received the Judgment/Commitment (J&C) papers to confirm the\nsentence information. Upon receipt of the J&C, the district may send a request to BOP in\norder to determine which BOP facility the prisoner will serve the period of confinement.\n\n\n                                            39\n\x0c  file folder or filed in the DOs for longer than one year. 16 Other supporting\n  documents, such as \xe2\x80\x9crequests for designation\xe2\x80\x9d or correspondence from the\n  BOP that justified prisoner movements, were also not maintained in the\n  prisoner file folders we reviewed.\n\n         We found a significant number of errors with respect to the accuracy of\n  information on system output and with the completeness of prisoner file\n  folders records. We attributed the existence of these conditions to the lack\n  of policies and procedures to standardize the intake process, as well as the\n  lack of supervisory review of data before it is entered into the PTS\n  application.\n\n     Recommendation:\n\n                We recommend that the USMS:\n\n                20. Ensure that data integrity assurances and quality control\n                    measures are developed and implemented to:\n\n                       a) require the periodic spot-checking and validation of\n                          output from the PTS; and\n\n                       b) confirm that the processing of information is\n                          correct.\n\nIII. CONCLUSION\n\n        The weaknesses identified in our review of select general controls\n  included problems with entity-wide security planning and management. We\n  found that the USMS has not appointed a security manager for PTS and the\n  organization did not ensure that employees receive specialized PTS training\n  either before accessing the system or within a reasonable period thereafter.\n  Weaknesses with segregation of duties occurred because the USMS has not\n  developed and implemented formal operating policies and procedures to\n  guide users in the performance of their duties. Furthermore, the\n  organization has not developed policies to segregate incompatible duties.\n\n        We also found that PTS users were not familiar with the USMS\xe2\x80\x99s\n  application software development and change control procedures and that\n  the USMS is using outdated programming and database management\n         16\n             According to USMS Policy Directive No. 99-47, Cellblock Operations, prisoner\n  manifest forms such as the USMS\xe2\x80\x99 Form 40/41, \xe2\x80\x9cPrisoner Remand or Order to Deliver &\n  Receipt for U.S. Prisoners,\xe2\x80\x9d are executed to reflect the transfer of custody during the release\n  of prisoners to the temporary custody of law enforcement officers.\n\n                                               40\n\x0csoftware to support the PTS, a mission-critical application. We determined\nthat access controls were inadequate because the PTS authorized user list\nwas not properly maintained and physical access controls designed to\nprotect data terminals that process sensitive PTS information were not\nenforced.\n\n       Our review of the PTS\xe2\x80\x99s application controls disclosed that controls to\nproperly authorize data and validate transactions were deficient.\nSpecifically, we found tha t the USMS had not established proper\nauthorization controls or standards for key source documents used to create\nprisoner records in the PTS. Additionally, supervisory reviews of source\ndocuments and transactions were not being performed on a consistent basis\nto mitigate this condition. We also discovered that audit logs used to\nrecreate events and track user activity were not being kept. Problems with\naccuracy controls included weaknesses with erroneous data not being\ncollected or reported back to management for investigation or correction.\nFurthermore, the USMS failed to control system output reports by allowing\nauthorized PTS users to share printers with non-authorized USMS\nemployees.\n\n      Deficiencies with completeness controls involved the USMS\xe2\x80\x99s failure to\nenforce its own policy that dictates that a prisoner may not have more than\none USMS prisoner number. To complicate matters, the current PTS\nconfiguration does not provide for universal computer sequence checking to\nprevent the assignment of multiple USMS numbers to the same prisoner. In\naddition, we found that the application did not consistently enforce controls\nover integrity of processing and data files. We observed that the system\nallowed concurrent file updates when two users were able to update the\nsame prisoner record at the same time.\n\n        Problems were identified with data integrity for the PTS application\nduring our review of prisoner records for completeness and in our checks for\naccuracy of information contained in system output. We found that prisoner\nfile folders were missing key source documents critical to the record creation\nprocess and that the proper documentation needed to substantiate actions\ntaken by USMS personnel was not maintained in the folders.\n\n       We consider our findings in the areas of select general controls,\napplication controls, and data integrity to be major weaknesses that pose a\nhigh risk to the protection of its data from unauthorized use, loss, or\nmodification. We conclude that the weaknesses with select general controls\nand application controls occurred because the USMS did not enforce its own\npolicies and did not comply with the Department\xe2\x80\x99s policies and procedures,\nNIST standards, and OMB guidelines. We further conclude that the\n\n                                     41\n\x0cdeficiencies with data integrity occurred because the USMS did not develop\nand implement formal policies and procedures to guide users in the\nperformance of critical duties, such as creating and updating prisoner\nrecords in the PTS. As a result, we found errors and omissions on system\noutput reports that we attributed to the lack of sufficient training and\ninconsistent practices.\n\n      The USMS\xe2\x80\x99s reliance on the data within the PTS with inaccurate\ninformation could result in over expenditures for reimbursable contracts with\nprivate jail facilities. Additionally, the untimely release of a prisoner or the\nmisidentification of a prisoner requiring segregation or protection within the\nprisoner population also could occur. If not corrected, these weaknesses\ncould impair the USMS\xe2\x80\x99s ability to ensure the integrity, confidentiality, and\navailability of data contained within the PTS.\n\n\n\n\n                                      42\n\x0c                                                                 APPENDIX 1\n\n\n\n                   OBJECTIVES, SCOPE, AND METHODOLOGY\n\n       Our audit objectives were to review application controls, select general\ncontrols, and assess the reliability of the Prisoner Tracking System (PTS)\ndata. The audit work, which occurred between June and December 2003,\nwas performed in accordance with the Government Auditing Standards. We\nconducted fieldwork at the United States Marshals Service (USMS)\nheadquarters in Arlington, Virginia, and 8 of the 94 USMS district offices\n(DOs). The eight DOs were: Alexandria, Virginia; Washington, D.C.; New\nYork, New York; Houston, Texas; Philadelphia, Pennsylvania; Chicago,\nIllinois; Miami, Florida; and Phoenix, Arizona. The DOs were selected\nbecause their location, detainee processing volume, or USMS headquarters\nidentified them as \xe2\x80\x9cmodel sites.\xe2\x80\x9d\n\n       Although our primary objectives were to review application controls\nand perform data integrity testing, our audit criteria for evaluating\napplication controls included certain select general control areas. Those\nsteps involved obtaining an overview of the application\xe2\x80\x99s user population\n(access controls), developing an understanding of the operational workflow\nprocess (entity-wide security program planning and management and\nsegregation of duties), and developing an understanding of the hardware\nand software environment (system software, application software\ndevelopment, and service continuity). Therefore, this report contains\nfindings from select general control areas required to assess the\neffectiveness of PTS\xe2\x80\x99s application controls.\n\n      The Marshals Network (MNET) serves as the PTS\xe2\x80\x99s system environment\nbecause PTS users must login to MNET to gain access to PTS servers. The\nOIG performed an audit of MNET\xe2\x80\x99s general controls during its fiscal year\n2003 Federal Information Security Management Act (FISMA) review. We\ntherefore relied on audit findings disclosed during the FISMA review as an\nassessment of the PTS application\xe2\x80\x99s system environment and reported on\nthose select general controls we reviewed as required by the application\ncontrols audit criteria.\n\n      To accomplish our audit objectives, we conducted over 50 interviews\nand visited the 8 DOs represented on the map in Appendix 2. We\ninterviewed USMS headquarters officials from the Prisoner Services Division,\nPlanning and Analysis Branch, and Information Technology Services Division\nto assess select general controls, such as entity-wide security program\nplanning and management of the PTS and service continuity. From these\ninterviews, we were able to gain an understanding of the application\xe2\x80\x99s user\npopulation, operational workflow process, and hardware and software\n\n                                      43\n\x0cenvironment. Additionally, we obtained information from deputy marshals,\nadministrative officers, criminal clerks, detention enforcement officers, and\nsystem administrators at each DO visited to evaluate the overall\neffectiveness of application controls for protecting the PTS\xe2\x80\x99s data. We\nspecifically reviewed authorization, completeness, accuracy, and integrity of\nprocessing controls.\n\n       Our visits to the selected DOs included observing operational activities\nand performing data integrity testing. Our observation of operational\nactivities allowed us to assess the USMS\xe2\x80\x99s compliance with the Federal\nInformation System Controls Audit Manual (FISCAM), USMS\xe2\x80\x99s PTS User\nManual, and USMS\xe2\x80\x99s Policy Directive No. 99-47 (Cellblock Operations). To\nperform data integrity testing, we judgmentally selected a total of 200\nprisoners\xe2\x80\x99 file folders (25 file folders at each of the 8 sites visited). We\nreviewed these prisoners\xe2\x80\x99 records for completeness of information and\nmanually compared source documents to the PTS output to determine\naccuracy of information as recommended in the General Accounting Office\xe2\x80\x99s\n(GAO) guidance for Assessing the Reliability of Computer-Processed Data.\n\n      Additionally, we reviewed the certification and accreditation\ndocumentation for the PTS, the Department\xe2\x80\x99s information technology\nmanagement policies and procedures, the USMS\xe2\x80\x99s organizational structures,\nand information contained within individual prisoner file folders.\n\n\n\n\n                                      44\n\x0c                                                                                       APPENDIX 2\n\n\n                            FIELDWORK SITE VISIT MAP\nMap\n\n\n\n\n                          District Offices Visited Representing\n                         United States Marshals Service Regions\n\n\n                                                                   Chicago, Illinois\n\n\n\n\n                                           MID-WEST\n                                             Region\n                         WEST\n                                                                     NORTHEAST\n                         Region\n                                                                       Region\n\n\n      Phoenix, Arizona\n                                               SOUTH                                     Alexandria, Virginia\n                                                                                         District of Columbia\n                                               Region                                    New York, New York\n                                                                                         Philadelphia,, Pennsylvania\n\n\n\n\n                                                  Houston, Texas\n                                                  Miami, Florida\n\n\n\n\n                                          45\n\x0c                                                                     APPENDIX 3\n\n\n     FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL\n\n                            SELECT GENERAL CONTROLS\n\n\n                                                                    VULNERABILITIES\n                       CONTROL AREAS\n                                                                        NOTED\nEntity-wide Security Program Planning & Management\nAssess risks periodically\nDocument an entity-wide security program plan\nEstablish a security management structure and clearly assign\nsecurity responsibilities                                                  \xe2\x88\x9a\nImplement effective security-related personnel policies                    \xe2\x88\x9a\nMonitor the security program\xe2\x80\x99s effectiveness and make changes\nas needed\nAccess Controls\nClassify information resources according to their criticality and\nsensitivity\nMaintain a current list of authorized users and ensure that their\naccess is authorized                                                       \xe2\x88\x9a\nEstablish physical and logical controls to prevent and detect\nunauthorized access                                                        \xe2\x88\x9a\nMonitor access, investigate apparent security violations, and\ntake appropriate remedial action\nApplication Software Development & Change Control\nAuthorize processing features and modifications                            \xe2\x88\x9a\nTest and approve all new and revised software\nControl software libraries\nSystem Software\nLimit access to system software\nMonitor access to and use of system software\nControl system software changes                                            \xe2\x88\x9a\nSegregation of Duties\nSegregate incompatible duties and establish related policies               \xe2\x88\x9a\nEstablish access controls to enforce segregation of duties\nControl personnel activities through formal operating procedures\nand supervision and review                                                 \xe2\x88\x9a\nService Continuity\nAssess the criticality and sensitivity of computerized operations\nand identify supporting resources                                          \xe2\x88\x9a\nTake steps to prevent and minimize potential damage and\ninterruption                                                               \xe2\x88\x9a\nDevelop and document a comprehensive contingency plan\nTest the contingency plan periodically and adjust it as\nappropriate                                                                \xe2\x88\x9a\n\n                                        46\n\x0c     FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL\n\n                          APPLICATION CONTROLS\n\n\n                                                                   VULNERABILITIES\n                      CONTROL AREAS\n                                                                       NOTED\nAuthorization Controls\nAll data are authorized before entering the application system            \xe2\x88\x9a\nRestrict data entry terminals to authorized users for authorized\npurposes                                                                  \xe2\x88\x9a\nMaster files and exception reporting help ensure all data are\nprocessed and are authorized\nCompleteness Controls\nAll authorized transactions are entered into and processed by\nthe computer                                                              \xe2\x88\x9a\nReconciliations are performed to verify data completeness\nAccuracy Controls\nData entry design features contribute to data accuracy\nData validation and editing are performed to identify erroneous\ndata\nErroneous data are captured, reported, investigated, and\ncorrected                                                                 \xe2\x88\x9a\nOutput reports are reviewed to help maintain data accuracy\nand validity                                                              \xe2\x88\x9a\nControls Over Integrity of Processing and Data Files\nProcedures ensure that the current version of production\nprograms and data files are used during processing\nPrograms include routines to verify that the proper version of\nthe computer files is used during processing\nPrograms include routines for checking internal file header\nlabels before processing\nMechanisms within the application protect against concurrent\nfile updates                                                              \xe2\x88\x9a\n\n\n\n\n                                        47\n\x0c                                                          APPENDIX 4\n\n\n\n\n               GENERAL ACCOUNTING OFFICE\n  ASSESSING THE RELIABILITY OF COMPUTER-PROCESSED DATA\n\n               DATA INTEGRITY ASSESSMENT FACTORS\n\n                                                       VULNERABILITIES\n                                                           NOTED\nCompleteness of Information\nContain all of the data elements and records used as\n                                                              \xe2\x88\x9a\nsupport for the transactions\nAccuracy of Information\nReflect the data obtained from the source documents           \xe2\x88\x9a\n\n\n\n\n                                      48\n\x0c                                                                          APPENDIX 5\n\n\n                    GENERAL ACCOUNTING OFFICE\n        FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL\n\n                 GENERAL CONTROLS REVIEW GUIDELINES\n\n\n      The general controls guidelines used for this audit were obtained from\nChapter 3, \xe2\x80\x9cEvaluating and Testing General Controls,\xe2\x80\x9d of the GAO\xe2\x80\x99s FISCAM.\nThe information below represents only those sections from the FISCAM that\nserve as the basis for the vulnerabilities identified during our review of the\nPrisoner Tracking System.17\n\n3.0 OVERVIEW\n\n      General controls are the structure, policies, and procedures that apply\nto an entity\xe2\x80\x99s overall computer operations. They create the environment in\nwhich application systems and controls operate. During a financial\nstatement audit, the auditor will focus on general controls that normally\npertain to an entity\xe2\x80\x99s major computer facilities and systems supporting a\nnumber of different applications, such as major data processing installations\nor local area networks. If general controls are weak, they severely diminish\nthe reliability of controls associated with individual applications. For this\nreason, general controls are usually evaluated separately from and prior to\nevaluating application controls.\n\nThere are six major categories of general controls that the auditor should\nconsider. These are:\n\n\xe2\x80\xa2 entity-wide security program planning and management that\n  provides a framework and continuing cycle of activity for managing risk,\n  developing security policies, assigning responsibilities, and monitoring the\n  adequacy of the entity\xe2\x80\x99s computer-related controls;\n\n\xe2\x80\xa2 access controls that limit or detect access to computer resources (data,\n  programs, equipment, and facilities), thereby protecting these resources\n  against unauthorized modification, loss, and disclosure;\n\n\xe2\x80\xa2 application software development and change controls that prevent\n  unauthorized programs or modifications to an existing program from\n  being implemented;\n\n\n\n   17\n      The areas from the FISCAM selected for inclusion in this report have been\nparaphrased.\n\n                                           49\n\x0c\xe2\x80\xa2 system software controls that limit and monitor access to the powerful\n  programs and sensitive files that (1) control the computer hardware, and\n  (2) secure applications supported by the system;\n\n\xe2\x80\xa2   segregation of duties that are policies, procedures, and an\n    organizational structure established so that one individual cannot control\n    key aspects of computer-related operations and thereby conduct\n    unauthorized actions or gain unauthorized access to assets or records;\n    and\n\n\xe2\x80\xa2 service continuity controls to ensure that when unexpected events\n  occur, critical operations continue without interruption or are promptly\n  resumed, and critical and sensitive data are protected.\n\nFor each of these six categories, the manual identifies several critical\nelements that represent tasks that are essential for establishing adequate\ncontrols. For each critical element, there is a discussion of the associated\nobjectives, risks, and critical activities, as well as related control techniques\nand audit concerns. The auditor can use this information to evaluate entity\npractices.\n\n3.1    ENTITY-WIDE SECURITY PROGRAM PLANNING AND\n       MANAGEMENT (SP)\n\nAn entity-wide program for security planning and management is the\nfoundation of an entity\xe2\x80\x99s security control structure and a reflection of senior\nmanagement\xe2\x80\x99s commitment to addressing security risks. The program\nshould establish a framework and continuing cycle of activity for assessing\nrisk, developing and implementing effective security procedures, and\nmonitoring the effectiveness of these procedures. Without a well-designed\nprogram, security controls may be inadequate; responsibilities may be\nunclear, misunderstood, and improperly implemented; and controls may be\ninconsistently applied. Such conditions may lead to insufficient protection of\nsensitive or critical resources and disproportionately high expenditures for\ncontrols over low-risk resources.\n\n\n\n\n                                       50\n\x0c    CRITICAL ELEMENTS\n\n    SP-1 Assess risks periodically\n    SP-2 Document an entity-wide security program plan\n    SP-3 Establish a security management structure and clearly assign\n         security responsibilities\n    SP-4 Implement effective security-related personnel policies\n    SP-5 Monitor the security program\xe2\x80\x99s effectiveness and make changes as\n         needed\n\n\n\n    Critical Element SP-3: Establish a security management structure\n    and clearly assign security responsibilities\n\n\nSenior management should establish a structure to implement the security\nprogram throughout the entity. The structure generally consists of a core of\npersonnel who are designated as security managers. These personnel play a\nkey role in developing, communicating, and monitoring compliance with\nsecurity policies and reporting on these activities to senior management.\nThe security management function also serves as a focal point for others\nwho plan a role in evaluating the appropriateness and effectiveness of\ncomputer-related controls on a day-to-day basis. These include program\nmanagers who rely on the entity\xe2\x80\x99s computer systems, system\nadministrators, and system users.\n\nSP-3.1: A security management structure has been established\n\nThe effectiveness of the security program is affected by the way in which\nresponsibility for overseeing its implementation is assigned. Generally, such\nresponsibility is assigned to a central security program office.\n\nResponsibilities of the central security program office may include:\n\n\xe2\x80\xa2    facilitating risk assessments,\n\xe2\x80\xa2    coordinating the development of and distributing security policies and\n     procedures,\n\xe2\x80\xa2    routinely monitoring compliance with these policies,\n\xe2\x80\xa2    promoting security awareness among system users,\n\xe2\x80\xa2    providing reports to senior management on policy and control evaluation\n     results and giving advice to senior management on security policy-related\n     issues; and\n\xe2\x80\xa2    representing the entity in the security community.\n\n                                      51\n\x0cSP-3.2: Information security responsibilities are clearly assigned\n\nOMB Circular A-130, Appendix III, requires that the rules of the system and\napplication \xe2\x80\x9cshall clearly delineate responsibilities and expected behavior of\nall individuals with access . . . and shall be clear about the consequences of\nbehavior not consistent with the rules.\xe2\x80\x9d Security-related responsibilities of\noffices and individuals throughout the entity that should be clearly defined\ninclude those of (1) information resource owners and users, (2) information\nresources management and data processing personnel, (3) senior\nmanagement, and (4) security administrators. Further, responsibilities for\nindividual employee accountability regarding the use and disclosure of\ninformation resources should be established.\xe2\x80\x9d\n\n Critical Element SP-4:      Implement effective security-related\n personnel policies\n\nPolicies related to personnel actions, such as hiring and termination, and\nemployee expertise are important factors for information security. If\npersonnel policies are not adequate, an entity runs the risk of (1) hiring\nunqualified or untrustworthy individuals, (2) providing terminated\nemployees opportunities to sabotage or otherwise impair entity operations\nor assets, (3) failing to detect continuing unauthorized employee actions,\n(4) lowering employee morale, which may in turn diminish employee\ncompliance with controls, and (5) allowing staff expertise to decline.\n\nSP-4.2: Employees have adequate training and expertise\n\nManagement should ensure that employees \xe2\x80\x93 including data owners, system\nusers, data processing personnel, and security management personnel \xe2\x80\x93\nhave the expertise to carry out their information security responsibilities. To\naccomplish this, the security program should include:\n\n   \xe2\x80\xa2   job descriptions that include the education, experience, and\n       expertise needed;\n   \xe2\x80\xa2   periodic reassessment of the adequacy of employees\xe2\x80\x99 skills;\n   \xe2\x80\xa2   annual training requirements and professional development programs\n       to help make certain employees\xe2\x80\x99 skills, especially technical skills, are\n       adequate and current; and\n   \xe2\x80\xa2   monitoring employee training and professional development\n       accomplishments.\n\n\n\n\n                                       52\n\x0c3.2 ACCESS CONTROLS (AC)\n\nAccess controls should provide reasonable assurance that computer\nresources (data files, application programs, and computer-related facilities\nand equipment) are protected against unauthorized modification, disclosure,\nloss, or impairment. Such controls include physical controls, such as\nkeeping computers in locked rooms to limit physical access, and logical\ncontrols, such as security software programs designed to prevent or detect\nunauthorized access to sensitive files.\n\nInadequate access controls diminish the reliability of computerized data and\nincrease the risk of destruction or inappropriate disclosure of data. The\nfollowing examples illustrate the potential consequences of such\nvulnerabilities.\n\n  \xe2\x80\xa2   By obtaining direct access to data files, an individual could make\n      unauthorized changes for personal gain or obtain sensitive\n      information. For example, a person could (1) alter the address of a\n      payee and thereby direct a disbursement to himself or herself, (2)\n      alter inventory quantities to conceal a theft of assets, (3) inadvertently\n      or purposefully change a receivable balance, or (4) obtain confidential\n      information about business transactions or individuals.\n\n  \xe2\x80\xa2   By obtaining access to application programs used to process\n      transactions, an individual could make unauthorized changes to these\n      programs or introduce malicious programs, which in turn could be\n      used to access data files, resulting in situations similar to those\n      described above, or to process unauthorized transactions. For\n      example, a person could alter a payroll or payables program to\n      inappropriately generate a check for himself or herself.\n\n  \xe2\x80\xa2   By obtaining access to computer facilities and equipment, an individual\n      could (1) obtain access to terminals or telecommunications equipment\n      that provide input into the computer, (2) obtain access to confidential\n      or sensitive information on magnetic or printed media, (3) substitute\n      unauthorized data or programs, or (4) steal or inflict malicious damage\n      on computer equipment and software.\n\n\n\n\n                                      53\n\x0c CRITICAL ELEMENTS\n\n AC-1 Classify information resources according to their criticality and\n      sensitivity\n AC-2 Maintain a current list of authorized users and ensure that their\n      access is authorized\n AC-3 Establish physical and logical controls to prevent and detect\n      unauthorized access\n AC-4 Monitor access, investigate apparent security violations, and take\n      appropriate remedial action\n\n\n\n Critical Element AC-2 : Maintain a current list of authorized users\n and ensure that their access is authorized\n\n\n\nAn entity should institute policies and procedures for authorizing access to\ninformation resources and documenting such authorizations. These policies\nand procedures should cover user access needed for routine operations,\nemergency access, and the sharing and disposition of data with individuals\nor groups outside the entity.\n\nAC-2.1: Resource owners have identified authorized users and their\n        access authorized\n\nThe computer resource owner should identify the specific user or class of\nusers that are authorized to obtain direct access to each resource for which\nhe or she is responsible. This process can be simplified by developing\nstandard profiles, which describe access needs for groups of users with\nsimilar duties, such as accounts payable clerks.\n\nAccess may be permitted at a file, record, or field level. Files are composed\nof records, typically one for each item or transaction. Individual records are\ncomposed of fields that contain specific data elements relating to each\nrecord. Access authorizations should be documented on standard forms,\nmaintained on file, approved by senior managers, and securely transferred\nto security managers. Owners should periodically review access\nauthorization listings and determine whether they remain appropriate.\n\nListings of authorized users and their specific access needs and any\nmodifications should be approved by an appropriate senior manager and\n\n                                      54\n\x0cdirectly communicated in writing by the resource owner to the security\nmanagement function.\n\nIt is equally important to notify the security management function\nimmediately when an employee is terminated or, for some other reason, is\nno longer authorized access to information resources.\n\n    Critical Element AC-3 : Establish physical and logical controls to\n    prevent and detect unauthorized access\n\n\n\nThe entity should have a cost-effective process for protecting data files,\napplication programs, and hardware through a combination of physical and\nlogical security controls. Physical security involves restricting physical\naccess to computer resources, usually by limiting access to the buildings and\nrooms where they are housed, or by installing locks on computer terminals.\nHowever, physical controls alone cannot ensure that programs and data are\nprotected. For this reason, it is important to establish logical security\ncontrols that protect the integrity and confidentiality of sensitive files. The\nsecurity function should be responsible for implementing and maintaining\nboth physical and logical controls based upon authorizations provided by the\nowners of the resources.\n\nAC-3.1: Adequate physical security controls have been implemented\n\nPhysical security controls restrict physical access to computer resources and\nprotect them from intentional or unint entional loss or impairment.\n\nIn evaluating the effectiveness of physical security controls, the auditor\nshould consider the effectiveness of the entity\xe2\x80\x99s policies and practices for:\n\n\xe2\x80\xa2    granting and discontinuing access authorizations,\n\xe2\x80\xa2    controlling passkeys,\n\xe2\x80\xa2    controlling entry during and after normal business hours,\n\xe2\x80\xa2    controlling the deposit and withdrawal of tapes and other storage media\n     to and from the library,\n\xe2\x80\xa2    handling emergencies,\n\xe2\x80\xa2    controlling reentry after emergencies; and\n\xe2\x80\xa2    establishing compensatory controls when restricting physical access is not\n     feasible, as is often the case with telecommunications lines.\n\n\n\n\n                                       55\n\x0c3.3 APPLICATION SOFTWARE DEVELOPMENT AND CHANGE\n    CONTROL (CC)\n\nApplication software is designed to support a specific operation, such as\npayroll or loan accounting. Typically several applications may operate under\none set of operating system software. Controls over operating system\nsoftware are discussed in Section 3.4.\n\nEstablishing controls over the modifications of application software programs\nhelps to ensure that only authorized programs and authorized modifications\nare implemented. This is accomplished by instituting policies, procedures,\nand techniques that help make sure all programs and program modifications\nare properly authorized, tested, and approved; and that access to and\ndistribution of programs is carefully controlled. Without proper controls,\nthere is a risk that security features could be inadvertently or deliberately\nomitted or \xe2\x80\x9cturned off\xe2\x80\x9d or that processing irregularities or malicious code\ncould be introduced. For example,\n\n  \xe2\x80\xa2   a knowledgeable programmer could surreptitiously modify program\n      code to provide a means of bypassing controls to gain access to\n      sensitive data;\n  \xe2\x80\xa2   the wrong version of a program could be implemented, thereby\n      perpetuating outdated or erroneous processing that is assumed to\n      have been updated; or\n  \xe2\x80\xa2   a virus could be introduced, inadvertently or on purpose, that disrupts\n      processing.\n\n\n CRITICAL ELEMENTS\n\n CC-1 Authorize processing features and modifications\n CC-2 Test and approve all new and revised software\n CC-3 Control software libraries\n\n\n\n\n Critical Element CC-1 : Authorize processing features and\n modifications\n\n\nThe processing features built into application software should be authorized\nby the managers responsible for the agency program or operations that the\napplication supports. This is because these are the managers responsible for\nseeing that software supporting their operations meets their needs and\n\n                                     56\n\x0cproduces reliable data and that the operations are carried out in accordance\nwith applicable laws, regulations, and management policies. For example,\nthe processing features associated with loan accounting software should be\nauthorized by the loan program managers. Such user or owner\nauthorization is needed when new systems are being developed, as well as\nwhen operational systems are being modified.\n\nAuthorization is the first step in implementing the features or the changes\nthat have been decided on by the users, and the entity should have a\nprocess for obtaining, documenting, and communicating such authorizations\nas part of its system development life cycle (SDLC) methodology. If\nauthorization procedures have not been developed or are not followed, an\nindividual might be able to initiate program changes that result in erroneous\nprocessing or weakened access controls or edits built into the software.\n\nCC-1.2: Authorizations for software modifications are documented\n        and maintained\n\nPolicies and procedures should be in place that detail who can authorize a\nmodification and how these authorizations are to be documented. Generally\nthe application users have the primary responsibility for authorizing systems\nchanges. However, users should be required to discuss their proposed\nchanges with systems developers to confirm that the change is feasible and\ncost effective. For this reason, an entity may require a senior systems\ndeveloper to co-authorize a change.\n\nThe use of standardized change request forms helps ensure that requests\nare clearly communicated and that approvals are documented.\nAuthorization documentation should be maintained for at least as long as a\nsystem is in operation in case questions arise regarding why or when system\nmodifications were made. Authorization documents may be maintained in\neither paper or electronic form as long as their integrity is protected.\n\n3.4 SYSTEM SOFTWARE (SS)\n\nSystem software is a set of programs designed to operate and control the\nprocessing activities of computer equipment. Generally, one set of system\nsoftware is used to support and control a variety of applications that may\nrun on the same computer hardware. System software helps control and\ncoordinate the input, processing, output, and data storage associated with\nall of the applications that run on a system. Some system software can\n\n\n\n\n                                     57\n\x0cchange data and program code on files without leaving an audit trail. The\nfollowing are examples of system software:\n\n   \xe2\x80\xa2   operating system,\n   \xe2\x80\xa2   system utilities,\n   \xe2\x80\xa2   program library,\n   \xe2\x80\xa2   file maintenance,\n   \xe2\x80\xa2   security,\n   \xe2\x80\xa2   data communications systems; and\n   \xe2\x80\xa2   database management systems.\n\nControls over access to and modification of system software are essential in\nproviding reasonable assurance that operating system-based security\ncontrols are not compromised and that the system will not be impaired.\nInadequate controls in this area could lead to unauthorized individuals using\nsystem software to circumvent security controls to read, modify, or delete\ncritical or sensitive information and programs; authorized users of the\nsystem gaining unauthorized privileges to conduct unauthorized actions;\nand/or systems software being used to circumvent edits and other controls\nbuilt into application programs. Such weaknesses seriously diminish the\nreliability of information produced by all of the applications supported by the\ncomputer system and increase the risk of fraud and sabotage. System\nsoftware programmers are often more technically qualified than other data\nprocessing personnel and, thus, have a greater ability to perform\nunauthorized actions if controls in this area are weak.\n\n\n   CRITICAL ELEMENTS\n\n   SS-1 Limit access to system software\n   SS-2 Monitor access to and use of system software\n   SS-3 Control system software changes\n\n\n\n  Critical Element SS-3: Control system software changes\n\n\nModifications to system software should be controlled so that only authorized\nand properly tested changes are implemented. If system software is not\nadequately controlled and tested, system parameters may be inadequate to\nprevent unauthorized changes to application programs or data.\nFurthermore, software malfunctions during processing runs could result in\ninaccurate or incomplete financial data. Controls should provide that all\n\n                                      58\n\x0cchanges are tested and approved and that only approved system software is\nimplemented.\n\nSS-3.2: Installation of system software is documented and reviewed\n\nWhen possible, the installation of system software changes and new versions\nor products should be scheduled to minimize the impact on data processing\noperations, and an advance notice should be provided to system software\nusers. The actual installation should be logged to establish an audit trail and\nreviewed by data center management. The migration of system software\nfrom the testing environment to the production environment should be done,\nafter approval, by an independent library control group. Outdated versions\nof system software should be removed from the production environment to\npreclude their future use. Some changes may be made specifically to\ncorrect security or integrity vulnerabilities, while using outdated versions\nallows the entity\xe2\x80\x99s data and systems to remain exposed to these\nvulnerabilities.\n\nAll vendor-supplied system software should be supported by the vendor.\nVendors often release new versions of system software products and may\ndiscontinue support of earlier versions. Enhancements and corrections made\nto subsequent versions of system software will not be available to entities\nthat forgo acquiring the latest version. All system software should have\ncurrent and complete documentation. Inadequate documentation will hinder\nmaintenance activities, particularly during emergency situations when\nin-house systems programmers are attempting to restart a failed system\nand vendor assistance is not readily available.\n\n3.5   SEGREGATION OF DUTIES (SD)\n\nWork responsibilities should be segregated so that one individual does not\ncontrol all critical stages of a process. For example, while users may\nauthorize program changes, programmers should not be allowed to do so\nbecause they are not the owners of the system and do not have the\nresponsibility to see that the system meets user needs. Similarly, one\ncomputer programmer should not be allowed to independently write, test,\nand approve program changes. Often, segregation of duties is achieved by\nsplitting responsibilities between two or more organizational groups.\nDividing duties among two or more individuals or groups diminishes the\nlikelihood that errors and wrongful acts will go undetected because the\nactivities of one group or individual will serve as a check on the activities of\nthe other.\n\n\n\n                                       59\n\x0c CRITICAL ELEMENTS\n\n SD-1 Segregate incompatible duties and establish related policies\n SD-2 Establish access controls to enforce segregation of duties\n SD-3 Control personnel activities through formal operating procedures\n      and supervision and review\n\n\n\n Critical Element SD-1: Segregate incompatible duties and\n establish related policies\n\n\n\nThe first steps in determining if duties are appropriately segregated are to\nanalyze the entity\xe2\x80\x99s operations, identify incompatible duties, and assign\nthese duties to different organizational units or individuals. Federal internal\ncontrol standards specify that key duties and responsibilities for authorizing,\nprocessing, recording, and reviewing transactions should be separated. This\nconcept can also be applied to the authorization, testing, and review of\ncomputer program changes.\n\nSegregating duties begins by establishing independent organizational groups\nwith defined functions, such as a payroll unit responsible for preparing\npayroll transaction input and a data processing unit responsible for\nprocessing input prepared by other units. Functions and related tasks\nperformed by each unit should be documented for the unit and in staff job\ndescriptions and should be clearly communicated to personnel assigned the\nresponsibilities.\n\nSD-1.1: Incompatible duties have been identified and policies\n        implemented to segregate these duties\n\nManagement should have analyzed operations and identified incompatible\nduties tha t are then segregated through policies and organizational divisions.\nAlthough incompatible duties may vary from one entity to another, the\nfollowing functions are generally performed by different individuals:\nInformation Systems (IS) management, systems design, application\nprogramming, systems programming, quality assurance/testing, library\nmanagement/change management, computer operations, production control\nand scheduling, data security, data administration, and network\nadministration.\n\n\n\n\n                                      60\n\x0cThe following include examples of restrictions that are generally addressed in\npolicies about segregating duties and are achieved through organizational\ndivisions and access controls.\n\n   \xe2\x80\xa2   Application users should not have access to operating system or\n       application software.\n   \xe2\x80\xa2   Programmers should not be responsible for moving programs into\n       production or have access to production libraries or data.\n   \xe2\x80\xa2   Access to operating system documentation should be restricted to\n       authorized systems programming personnel.\n   \xe2\x80\xa2   Access to application system documentation should be restricted to\n       authorized applications programming personnel.\n   \xe2\x80\xa2   Access to production software libraries should be restricted to library\n       management personnel.\n   \xe2\x80\xa2   Persons other than computer operators should not set up or operate\n       the production computer.\n   \xe2\x80\xa2   Only users, not computer staff, should be responsible for transaction\n       origination or correction and for initiating changes to application files.\n   \xe2\x80\xa2   Computer operators should not have access to program libraries or\n       data files.\n\nSome steps involved in processing a transaction also need to be\nseparated among different individuals. For example, the following\ncombinations of functions should not be performed by a single individual.\n\n   \xe2\x80\xa2   Data entry and verification of data,\n   \xe2\x80\xa2   Data entry and its reconciliation to output,\n   \xe2\x80\xa2   Input of transactions for incompatible processing functions (e.g., input\n       of vendor invoices and purchasing and receiving information); and\n   \xe2\x80\xa2   Data entry and supervisory authorization functions (e.g., authorizing a\n       rejected transaction to continue processing that exceeds some limit\n       requiring a supervisor\xe2\x80\x99s review and approval).\n\nOrganizations with limited resources to segregate duties should have\ncompensating controls, such as supervisory review of transactions\nperformed.\n\n Critical E lement SD-3: Control personnel activities through formal\n operating procedures and supervision and review\n\n\nControl over personnel activities requires formal operating procedures and\nactive supervision and review of these activities. This is especially relevant\n\n\n                                        61\n\x0cfor computer operators. Inadequacies in this area could allow mistakes to\noccur and go undetected, and facilitate unauthorized use of the computer.\n\nSD-3.1: Formal procedures guide personnel in performing their\n        duties\n\nDetailed, written instructions should exist and be followed to guide\npersonnel in performing their duties. These instructions are especially\nimportant for computer operators. For example, computer operator\ninstruction manuals should provide guidance on system startup and shut\ndown procedures, emergency procedures, system and job status reporting,\nand operator prohibited activities. Application-specific manuals\n(commonly called \xe2\x80\x9crun\xe2\x80\x9d manuals) should provide additional instructions for\noperators specific to each application, such as instructions on job setup,\nconsole and error messages, job checkpoints, and restart and recovery\nsteps after system failures. Operators should be prevented from overriding\nfile label or equipment error messages.\n\nSD-3.2: Active supervision and review are provided for all personnel\n\nSupervision and review of personnel activities help make certain that these\nactivities are performed in accordance with prescribed procedures, that\nmistakes are corrected, and that the computer is used only for authorized\npurposes. To aid in this oversight, all computer operator activities on the\ncomputer system should be recorded on an automated history log, which\nserves as an audit trail. Supervisors should routinely review this history log\nand investigate any abnormalities.\n\n3.6 SERVICE CONTINUITY (SC)\n\nLosing the capability to process, retrieve, and protect information\nmaintained electronically can significantly affect an agency\xe2\x80\x99s ability to\naccomplish its mission. For this reason, an agency should have (1)\nprocedures in place to protect information resources and minimize the risk of\nunplanned interruptions and (2) a plan to recover critical operations should\ninterruptions occur. These plans should consider the activities performed at\ngeneral support facilities, such as data processing centers and\ntelecommunications facilities, as well as the activities performed by users of\nspecific applications. To determine whether recovery plans will work as\nintended, they should be tested periodically in disaster simulation exercises.\n\nTo mitigate service interruptions, it is essential that the related controls be\nunderstood and supported by management and staff throughout the\norganization. Senior management commitment is especially important to\n\n\n                                       62\n\x0censure that adequate resources are devoted to emergency planning,\ntraining, and related testing. In addition, all staff with service continuity\nresponsibilities, such as staff responsible for backing up files, should be fully\naware of the risks of not fulfilling these duties.\n\n\n CRITICAL ELEMENTS\n\n SC-1 Assess the criticality and sensitivity of computerized operations and\n      identify supporting resources\n SC-2 Take steps to prevent and minimize potential damage and\n      interruption\n SC-3 Develop and document a comprehensive contingency plan\n SC-4 Test the contingency plan periodically and adjust it as appropriate\n\n\n\n Critical Element SC-1: Assess the criticality and sensitivity of\n computerized operations and identify supporting resources\n\n\nAt most entities, the continuity of certain automated operations is more\nimportant than others, and it is not cost-effective to provide the same level\nof continuity for all operations. For this reason, it is important that\nmanagement analyze data and operations to determine which are the most\ncritical and what resources are needed to recover and support them. This is\nthe first step in determining which resources merit the greatest protection\nand what contingency plans need to be made.\n\n    SC-1.2: Resources supporting critical operations are identified\n\nOnce critical data and operations have been determined, the minimum\nresources needed to support them should be identified and their role\nanalyzed. The resources considered include computer resources, such as\ncomputer hardware, software, and data files; computer supplies, including\npaper stock and preprinted forms; telecommunications services; and any\nother resources that are necessary to the operation, such as people, office\nfacilities and supplies, and noncomputerized records. For example, an\nanalysis should be performed to identify the maximum number of disk drives\nneeded at one time and the specific requirements for telecommunications\nlines and devices.\n\nBecause essential resources are likely to be held or managed by a variety of\ngroups within an organization, it is important that program and information\n\n\n                                       63\n\x0csecurity (IS) support staff work together to identify the resources for critical\noperations.\n\n    Critical Element SC-2: Take steps to prevent and minimize\n    potential damage and interruption\n\n\nThere are a number of steps that an organization should take to prevent or\nminimize the damage to automated operations that can occur from\nunexpected events. These can be categorized as follows:\n\n\xe2\x80\xa2    routinely duplicating or backing up data files, computer programs, and\n     critical documents with off-site storage;\n\xe2\x80\xa2    installing environmental controls, such as fire suppression systems or\n     backup power supplies;\n\xe2\x80\xa2    arranging for remote backup facilities that can be used if the entity\xe2\x80\x99s\n     usual facilities are damaged beyond use; and\n\xe2\x80\xa2    ensuring that staff and other users of the system understand their\n     responsibilities in case of emergencies.\n\nTaking such steps, especially implementing thorough backup procedures and\ninstalling environmental controls, are generally inexpensive ways to prevent\nrelatively minor problems from becoming costly disasters. In particular, an\nentity should maintain an ability to restore data files, which may be\nimpossible to recreate if lost. In addition, effective maintenance, problem\nmanagement, and change management for hardware equipment will help\nprevent unexpected interruptions.\n\nSC-2.1: Data and program backup procedures have been\n        implemented\n\nRoutinely copying data files and software and securely storing these files at\na remote location are usually the most cost-effective actions that an entity\ncan take to mitigate service interruptions. Although equipment can often be\nreadily replaced, the cost could be significant, and reconstructing\ncomputerized data files and replacing software can be extremely costly and\ntime-consuming. Sometimes, reconstruction of data files may be virtually\nimpossible. In addition to the direct costs of reconstructing files and\nobtaining software, the related service interruptions could lead to significant\nfinancial losses.\n\nA program should be in place for regularly backing up computer files,\nincluding master files, transaction files, application programs, systems\nsoftware, and database software, and storing these backup copies securely\n\n                                       64\n\x0cat an off-site location. Although choosing a backup storage location is a\nmatter of judgment, the backup location should be far enough away from\nthe primary location that it will not be impaired by the same events, such as\nfires, storms, and electrical power outages. In addition, it should be\nprotected from unauthorized access and from environmental hazards, such\nas fires and power outages.\n\nSC-2.3: Staff have been trained to respond to emergencies\n\nStaff should be trained in and aware of their responsibilities in preventing,\nmitigating, and responding to emergency situations. For example, data\ncenter staff should receive periodic training in emergency fire, water, and\nalarm incident procedures as well as their responsibilities in starting up and\nrunning an alternate data processing site. Also, if outside users are critical\nto the entity\xe2\x80\x99s operations, they should be informed of the steps they may\nhave to take as a result of an emergency.\n\nGenerally, information on emergency procedures and responsibilities can be\nprovided through training sessions and by distributing written policies and\nprocedures. Training sessions should be held at least once a year and\nwhenever changes to emergency plans are made.\n\nAlso, if staff could be required to relocate or significantly alter their\ncommuting routine in order to operate an alternate site in an emergency, it\nis advisable for an entity to incorporate into the contingency plan steps for\narranging lodging and meals or any othe r facilities or services that may be\nneeded to accommodate the essential human resources.\n\n\n Critical Element SC-4: Periodically test the contingency plan and\n adjust it as appropriate\n\n\nTesting contingency plans is essential to determine whether they will\nfunction as intended in an emergency situation. According to OMB, federal\nmanagers have reported that testing revealed important weaknesses in their\nplans, such as backup facilities that could not adequately replicate critical\noperations as anticipated. Through the testing process, these plans were\nsubstantially improved.\n\nThe most useful tests involve simulating a disaster situation to test overall\nservice continuity. Such a test would include testing whether the alternative\ndata processing site will function as intended and whether critical computer\ndata and programs recovered from off-site storage are accessible and\ncurrent. In executing the plan, managers will be able to identify weaknesses\n\n                                      65\n\x0cand make changes accordingly. Moreover, tests will assess how well\nemployees have been trained to carry out their roles and responsibilities in a\ndisaster situation.\n\nSC-4.1: The plan is periodically tested\n\nThe frequency of contingency plan testing will vary depending on the\ncriticality of the entity\xe2\x80\x99s operations. Generally, contingency plans for very\ncritical functions should be fully tested about once every year or two,\nwhenever significant changes to the plan have been made, or when\nsignificant turnover of key people has occurred. It is important for top\nmanagement to assess the risk of contingency plan problems and develop\nand document a policy on the frequency and extent of such testing.\n\n\n\n\n                                      66\n\x0c                                                                          APPENDIX 6\n\n\n\n\n                     GENERAL ACCOUNTING OFFICE\n         FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL\n\n              APPLICATION CONTROLS REVIEW GUIDELINES\n\nThe general controls guidelines used for this audit were obtained from\nChapter 4, \xe2\x80\x9cEvaluating and Testing Application Controls,\xe2\x80\x9d of the GAO\xe2\x80\x99s\nFISCAM. The information below represents only those sections from the\nFISCAM that serve as the basis for the vulnerabilities identified during our\nreview of the Prisoner Tracking System.18\n\n4.0      OVERVIEW\n\nApplication controls are the structure, policies, and procedures that\napply to separate, individual application systems, such as accounts\npayable, inventory, payroll, grants, or loans. An application system is\ntypically a collection or group of individual computer programs that\nrelate to a common function. In the federal government, some\napplications may be complex comprehensive systems, involving\nnumerous computer programs and organizational units, such as those\nassociated with benefit payment systems. For the purposes of this\ndocument, application controls encompass both the routines contained\nwithin the computer program code, and the policies and procedures\nassociated with user activities, such as manual measures performed by\nthe user to determine that data were processed accurately by the\ncomputer.\n\nApplication controls help make certain that transactions are valid, properly\nauthorized, and completely and accurately processed by the computer. They\nare commonly categorized into three phases of a processing cycle:\n\n\xe2\x80\xa2   input \xe2\x80\x93 data are authorized, converted to an automated form, and\n    entered into the application in an accurate, complete, and timely manner;\n\xe2\x80\xa2   processing \xe2\x80\x93 data are properly processed by the computer and files are\n    updated correctly; and\n\xe2\x80\xa2   output \xe2\x80\x93 files and reports generated by the application actually occur\n    and accurately reflect the results of processing, and reports are controlled\n    and distributed to the authorized users.\n\n\n\n    18\n      The areas from the FISCAM selected for inclusion in this report have been\nparaphrased.\n\n                                           67\n\x0cSome guides provide additional categories of application controls. For\nexample, data origination is a breakout of input it controls to focus on source\ndocuments and their need for authorization and proper preparation and\ncontrol. Also, data storage and retrieval focuses on access to and use of\ndata files and protecting their integrity.\n\nInstead of using the phases of a processing cycle, this document uses\ncontrol categories that better tie-in with the Specific Control Evaluation\nWorksheets (SCE) found in the Financial Audit Manual. The SCE is used to\ndocument the controls evaluation and is prepared for each significant\naccounting application. Included on the SCE are columns for recording the\ncontrol objectives and control techniques being evaluated, and accuracy\nincluding whether the assertion and related transactions are authorized,\ncomplete, valid, and accurate. The control objectives and techniques\naddressed in this chapter are consistent with other guidance, but our\ncategorization, tying to the SCE, are the following:\n\n\xe2\x80\xa2   Authorization controls \xe2\x80\x93 This is most closely aligned with the financial\n    statement accounting assertion of existence or occurrence. This\n    assertion, in part, concerns the validity of transactions and ensures that\n    they represent economic events that actually occurred during a given\n    period.\n\n\xe2\x80\xa2   Completeness controls \xe2\x80\x93 This directly relates to the financial statement\n    accounting assertion on completeness, which deals with whether all valid\n    transactions are recorded and properly classified.\n\n\xe2\x80\xa2   Accuracy controls \xe2\x80\x93 This most directly relates with the financial\n    statement assertion on valuation or allocation. This assertion deals with\n    whether transactions are recorded at correct amounts. The control\n    category, however, is not limited to financial information, but also\n    addresses the accuracy of other data elements.\n\n\xe2\x80\xa2   Controls over integrity of processing and data files \xe2\x80\x93 These\n    controls, if deficient, could nullify each of the above control types and\n    allow the occurrence of unauthorized transactions, as well as contribute\n    to incomplete and inaccurate data.\n\n\n\n\n                                      68\n\x0c4.1   AUTHORIZATION CONTROLS (AN)\n\nOnly authorized transactions should be entered into the application system\nand processed by the computer.\n\n\n Critical Elements\n\n AN-1 All data are authorized before entering the application system\n AN-2 Restrict data entry terminals to authorized users for authorized\n      purposes\n AN-3 Master files and exception reporting help ensure all data are\n      processed and are authorized\n\n\n\n\n Critica l Element AN-1: All data are authorized before entering the\n application system\n\n\nData should be authorized before it is entered into the application system.\nFederal financial management systems are often characterized as large\ncomplex \xe2\x80\x98legacy\xe2\x80\x99 systems and often involve a multitude of documents that\nflow through various work steps. Paper source documents still play a\nsignificant role for originating data that enter application systems in the\nfederal government. These source documents should fall under control\nmeasures so that unauthorized transactions are not submitted to and\nprocessed by the application. Also, data \xe2\x80\x93 whether from a source document\nor not \xe2\x80\x93 should undergo an independent or supervisory review prior to\nentering the application.\n\nAN-1.1 Source documents are controlled and require authorizing\n       signatures\n\nControl over source documents should begin even before data is recorded on\nthe document. Access restrictions over blank source documents should\nprevent unauthorized personnel from obtaining a blank source document,\nrecording unauthorized information, and inserting the document in the flow\nwith authorized documents and possibly causing a fraudulent or malicious\ntransaction to occur. Use of pre-numbered source documents could help\nidentify unauthorized documents that fall outside the range of authorized\nnumbers for documents being prepared for data entry.\n\n\n\n                                    69\n\x0cKey source documents for an application should require an authorizing\nsignature, and the document should provide space for the signature by an\nauthorized official.\n\nAN-1.2 Supervisory or independent reviews of data occur before\n       entering the application system.\n\nProviding supervisory or independent review of data before entering the\napplication system helps prevent the occurrence of unauthorized\ntransactions. A data control unit is effective for this purpose and this\nfunction has evolved as technology has advanced. With earlier systems,\nsource documents were batched in the user department and sent to a data\ncontrol unit that was organizationally under the information systems\ndepartment. This unit monitored data entry and processing of the\ndocuments, seeing that all batches were received, entered, and processed\ncompletely. In addition, personnel in this unit verified that each source\ndocument was properly prepared and authorized before the data on the\ndocument was entered into the system.\n\nThis function has migrated to the user department as it gained access to\napplication systems through computer terminals. Several or more personnel\nin the user department may now enter source documents into a transaction\nfile that is not released for processing until a supervisory or independent\nreview occurs. A user department control unit may have the responsibility\nto see that entered transactions are supported by a source document that\ncontains a valid authorizing signature. Also, supervisors in the user\ndepartment may hold this responsibility. These application systems may\nhave a separate authorization screen accessed by computer terminal, by\ncontrol unit, or by supervisory personnel. After verifying the input\ntransactions, the control unit or supervisory personnel enter the required\nauthorization and release the data for further processing.\n\n\n Critical Element AN-2: Restrict data entry terminals to authorized\n users for authorized purposes\n\n\n\nThe integrity of application data can be compromised by unauthorized\npersonnel who have unrestricted access to data entry terminals, as well as\nby authorized users who are not restricted in what transactions they can\nenter. Without limits, unauthorized personnel and authorized users could\nenter fraudulent or malicious transactions. To counter this risk, both\nphysical and logical controls are needed to restrict data entry terminals to\nauthorized users for authorized purposes.\n\n                                     70\n\x0cAN-2.1 Data entry terminals are secured and restricted to authorized\n       users\n\nData entry terminals should be located in physically secure rooms. When\nterminals are not in use, these rooms should be locked, or the terminals\nthemselves should be capable of being secured to prevent unauthorized use.\nSupervisors should sign on to each terminal device, or authorize terminal\nusage from a program file server, before an operator can sign on to begin\nwork for the day. Each operator should be required to use a unique\npassword and identification code before being granted access to the system.\n\nData entry terminals should be connected to the system only during\nspecified periods of the day, which corresponds with the business hours of\nthe data entry personnel. Each terminal should automatically disconnect\nfrom the system when not used after a specified period of time.\n\nWhere dial-up access is used to connect terminals to the system, connection\nshould not be completed until the system calls back to the terminal. These\nterminals should generate a unique identifier code for computer verification.\nSuch procedures help limit access to known, authorized terminals.\n\nOn-line access logs should be maintained by the system, for example,\nthrough the use of security software, and should be reviewed regularly for\nunauthorized access attempts. All transactions should be logged as they are\nentered, along with the terminal ID that was used, and the ID of the person\nentering the data. This builds an audit trail and helps hold personnel\naccountable for the data they enter.\n\n\n4.2   COMPLETENESS CONTROLS (CP)\n\nAll authorized transactions should be entered into and completely processed\nby the computer.\n\n\n Critical Elements\n\n CP-1 All authorized transactions are entered into and processed by the\n      computer\n CP-2 Reconciliations are performed to verify data completeness\n\n\n\n\n                                     71\n\x0c Critical Element CP-1: All authorized transactions are entered into\n and processed by the computer\n\n\n\nA control for completeness is one of the most basic application controls, but\nis essential to ensure that all transactions are processed, and missing or\nduplicate transactions are identified. The most commonly encountered\ncontrols for completeness include the use of record counts and control totals,\ncomputer sequence checking, computer matching of transaction data with\ndata in a master or suspense file, and checking of reports for transaction\ndata.\n\nCP-1.2 Computer sequence checking\n\nThis control begins by providing each transaction with a unique sequential\nnumber. Some transactions originate on source documents with\npreassigned serial numbers. This number should be entered into the\ncomputer along with the other data on the transaction. The computer can\nidentify numbers missing from the sequence and provide a report of those\nnumbers. The missing numbers should be investigated to determine\nwhether they are numbers for voided source documents, or are valid\ndocuments that may have been lost or misplaced.\n\nFor transactions not on source documents with preassigned serial numbers,\nthe computer can assign a unique sequential number as the data is entered.\nAt a later point in processing, such as when transaction data updates a\nmaster file, the computer can verify that all numbers are accounted for.\nAgain, missing numbers are reported for investigation.\n\nSequence checking is also valuable in identifying duplicate transactions. For\nexample, two transactions with the same preassigned serial number for a\nsource document would indicate that the transaction had been erroneously\nentered a second time. As another example, a file of sequential numbers for\npurchase orders could help prevent paying for the purchase more than once.\nAfter the purchased goods and vendor\xe2\x80\x99s bill are received, a payment\ntransaction with the purchase order number would be matched with the file\ncontaining all purchase order numbers, and an indicator for the payment\nwould be recorded on the file for that purchase. The payment indicator\nwould cause following payment transactions for the same purchase order to\nbe rejected and reported for investigation.\n\n\n\n                                     72\n\x0c4.3   ACCURACY CONTROLS (AY)\n\nThe recording of valid and accurate data into an application system is\nessential to provide for an effective system that produces reliable results.\n\n CRITICAL ELEMENTS\n\n AY-1   Data entry design features contribute to data accuracy\n AY-2   Data validation and editing are performed to identify erroneous data\n AY-3   Erroneous data are captured, reported, investigated, and corrected\n AY-4   Output reports are reviewed to help maintain data accuracy and\n        validity\n\n\n Critical Element AY-3: Erroneous data are captured, reported,\n investigated, and corrected\n\n\nTransactions detected with errors need to be controlled to ensure that they\nare corrected and reentered in a timely manner. During data entry,\nparticularly with more modern systems, an error can be identified and\ncorrected at the data entry terminal. With errors identified during the data\nprocessing cycle, however, a break generally has been made from the data\nentry terminal. Therefore, errors identified cannot be communicated in a\nreal-time mode back to personnel entering the data for immediate\ncorrection. An automated error suspense file is an essential element to\ncontrolling these data errors, and the errors need to be effectively reported\nback to the user department for investigation and correction.\n\nAY-3.2 Erroneous data are reported back to the user department for\n       investigation and correction\n\nSystems that allow user groups to enter data at a computer terminal often\nallow data to be edited as it is entered, and generally the systems allow\nimmediate correction of errors as they are identified. Error messages should\nclearly indicate what the error is and what corrective action is necessary.\nErrors identified at a later point in processing should be reported to the user\noriginating the transaction for correction.\n\nSome systems may use error reports to communicate to the user\ndepartment the rejected transactions in need of correction. More modern\nsystems will provide user departments\xe2\x80\x99 access to a file containing erroneous\ntransactions. Using a computer terminal, users can initiate corrective\nactions. Again, error messages should clearly indicate what the error is and\n\n                                      73\n\x0cwhat corrective action is necessary. The user responsible for originating the\ntransaction should be responsible for correcting the error. All corrections\nshould be reviewed and approved by supervisors before being reentered into\nthe system, or released for processing if corrected from a computer\nterminal.\n\n Critical Element AY-4: Output reports are reviewed to help\n maintain data accuracy and validity\n\n\n\nOutput can be in several forms, including printed reports, data accessible\non-line by users, and computer files that will be used in a later processing\ncycle, or by other programs in the application. Output should be reviewed\nand control information should be reconciled to determine whether errors\noccurred during processing. Various reports are typically produced by\napplication systems that, if reviewed, help maintain the data\xe2\x80\x99s accuracy and\nvalidity. Production and distribution of these reports need to be controlled,\nand to be effective, they need to be reviewed by user department personnel.\n\nAY-4.1 Control output production and distribution\n\nSomeone should be assigned responsibilities for seeing that all outputs are\nproduced and distributed in accordance with the requirements and design of\nthe application system. In larger organizations with mainframe computer\nenvironments, this responsibility is typically assigned as part of the\nresponsibilities of a data control group, which falls within the information\nsystems department. This group, or some alternative, should maintain a\nschedule by application that shows the output products produced, when they\nshould be completed, whom the recipients are, the copies needed, and when\nthey are to be distributed. The group should review output products for\ngeneral acceptability and reconcile control information to determine the\ncompleteness of processing.\n\nPrinted reports should contain proper identification, including a title page\nwith the report name, time and date of production, and the processing\nperiod covered by the report. Reports should also have an \xe2\x80\x9cend-of-report\xe2\x80\x9d\nmessage to positively indicate the end of a report. A report may have pages\nmissing at the end of the report, which may go undetected without this type\nof message. Controls and procedures are needed to ensure the proper\ndistribution of output to authorized users. Without control over distribution,\nusers may not receive needed output in a timely manner, and unauthorized\npersons may gain access to output containing privacy or sensitive\ninformation. Each output should be logged, manually if not done\n\n                                     74\n\x0cautomatically, along with the recipients of the output, including outputs that\nare transmitted to a user\xe2\x80\x99s terminal device. For these transmissions, the\ncomputer system should automatically check the output message before\ndisplaying, writing, or printing to make sure the output has not reached the\nwrong terminal device. In the user department, outputs transmitted should\nbe summarized daily and printed for each terminal device, and reviewed by\nsupervisors.\n\nOccasionally, errors may be identified in output products requiring corrective\naction, including possibly rerunning application programs to produce the\ncorrect product. A control log of output product errors should be\nmaintained, including the corrective actions taken. Output from reruns\nshould be subjected to the same quality review as the original output.\n\n\n4.4   CONTROLS OVER INTEGRITY OF PROCESSING AND DATA FILES\n\n\nExamples of items to cover:\n\n\n      \xe2\x80\xa2   Procedures ensure that the current versions of production\n          programs and data files are used during processing.\n\n      \xe2\x80\xa2   Programs include routines to verify that the proper version of the\n          computer file is used during processing.\n\n      \xe2\x80\xa2   Programs include routines for checking internal file header labels\n          before processing.\n\n      \xe2\x80\xa2   The application protects against concurrent file updates.\n\n\n\n\n                                      75\n\x0c                                                                          APPENDIX 7\n\n\n               GENERAL ACCOUNTING OFFICE\n  ASSESSING THE RELIABILITY OF COMPUTER-PROCESSED DATA\n\n                DATA INTEGRITY ASSESSMENT GUIDELINES\n\nData reliability refers to the accuracy and completeness of\ncomputer-processed data, given the intended purposes for use.\nComputer-processed data include data (1) entered into a computer\nsystem and (2) resulting from computer processing. Computer-processed\ndata can vary in form \xe2\x80\x93 from electronic files to tables in published\nreports. The definition of computer-processed data is therefore broad. In\nthis guidance, the term data always refers to computer-processed data.\n\nThe \xe2\x80\x9cYellow Book\xe2\x80\x9d requires that a data reliability assessment be\nperformed for all data used as support for engagement findings,\nconclusions, or recommendations.19 This guidance will help you to design\na data reliability assessment appropriate for the purposes of the\nengagement and then to evaluate the results of the assessment.\n\nData are reliable when they are (1) complete (they contain all of\nthe data elements and records needed for the engagement) and (2)\naccurate (they reflect the data entered at the source or, if available, in\nthe source documents). 20, 21 A subcategory of accuracy is consistency.\nConsistency refers to the need to obtain and use data that are clear and\nwell-defined enough to yield similar results in similar analyses. For\nexample, if data are entered at multiple sites, inconsistent interpretation\nof data rules can lead to data that, taken as a whole, are unreliable.\nReliability also means that for any computer processing of the data\nelements used, the results are reasonably complete and accurate, meet\nyour intended purposes, and are not subject to inappropriate alteration.\n\n\n\n\n       19\n          The GAO\xe2\x80\x99s \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d 2003 Revision, commonly\nreferred to as the \xe2\x80\x9cYellow Book\xe2\x80\x9d sets forth generally accepted government auditing\nstandards for use by government auditors.\n\n       20\n           A data element is a unit of information with definable parameters (for example,\na social security number), sometimes referred to as a data variable or data field.\n\n       21\n            Source document. Information that is the basis for entry of data into a\ncomputer.\n\n                                              76\n\x0c                                                         APPENDIX 8\n\n\n\n               ACRONYMS AND ABBREVIATIONS\n\nABS           Automated Booking Station\nBOP           Federal Bureau of Prisons\nCSSO          Computer Systems Security Officer\nD/AZ          District of Arizona\nDBMS          Database Management System\nDC/DC         District Court for the District of Columbia\nDepartment    Department of Justice\nDO            District Office\nDOB           Date of Birth\nE/PA          Eastern District of Pennsylvania\nE/VA          Eastern District of Virginia\nFBI           Federal Bureau of Investigation\nFD-129        FBI Fingerprint Cards\nFISCAM        Federal Information System Controls Audit Manual\nFISMA         Federal Information Security Management Act\nGAO           General Accounting Office\nJ&C           Judgment and Commitment Order\nMNet          Marshals Network\nN/IL          Northern District of Illinois\nNIST          National Institute of Standards and Technology\nOIG           Office of the Inspector General\nOMB           Office of Management and Budget\nPTS           Prisoner Tracking System\nPSD           Prisoner Services Division\nSDLC          Software Development Life Cycle\nS/FL          Southern District of Florida\nS/NY          Southern District of New York\nSP            Special Publication\nS/TX          Southern District of Texas\nSSN           Social Security Number\nU.S.C.        United States Code\nUSERID        User identification\nUSM           United States Marshals\nUSM-552/553   Medical Summary of Federal Prisoner/Alien in Transit\nUSMS          United States Marshals Service\nUSM-129       United States Marshals Service-129 Prisoner Intake Form\nUSM-312       United States Marshals Service-312 Personal History Form\nWT-J/C        Waiting Judgment and Commitment Order\n\n\n\n\n                                77\n\x0c                                                                APPENDIX 9\n\n\n\n                      GENERAL CONTROLS CRITERIA\n\n\n 1.   Privacy Act of 1974, Public Law 93-579\n\n 2.   Computer Fraud & Abuse Act of 1986, as amended, Public Law 99-474\n\n 3.   Computer Security Act of 1987, Public Law 100-235\n\n 4.   Paperwork Reduction Act of 1978, as amended in 1995, U.S. Code 44\n      Chapter 35\n\n 5.   OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d\n      Section 6, \xe2\x80\x9cDefinitions\xe2\x80\x9d and Section 8, \xe2\x80\x9cPolicy\xe2\x80\x9d\n\n 6.   OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n      Information Resources,\xe2\x80\x9d Section A, \xe2\x80\x9cRequirements\xe2\x80\x9d and B, \xe2\x80\x9cDescriptive\n      Information\xe2\x80\x9d\n\n 7.   The GAO\xe2\x80\x99s Federal Information System Controls Audit Manual,\n      Chapter 3, \xe2\x80\x9cEvaluating and Testing General Controls\xe2\x80\x9d\n\n 8.   Department of Justice Order 2640.2E, Information Technology Security,\n      Chapter 1, \xe2\x80\x9cSecurity Program Management\xe2\x80\x9d and Chapter 2, \xe2\x80\x9cSecurity\n      Requirements\xe2\x80\x9d\n\n 9.   National Institute of Standards and Technology, Special Publication\n      800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST Handbook\xe2\x80\x9d\n\n10.   National Institute of Standards and Technology, Special Publication\n      800-18, \xe2\x80\x9cGuide for Developing Security Plans for Information\n      Technology Systems\xe2\x80\x9d\n\n11.   National Institute of Standards and Technology, Special Publication\n      800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology\n      Systems\xe2\x80\x9d\n\n12.   National Institute of Standards and Technology, Special Publication\n      800-40\n\n13.   National Institute of Standards and Technology, Federal Information\n      Processing Standards Publication 73, Section 3.1.1\n\n\n                                      78\n\x0c                                                           APPENDIX 10\n\n\n                 APPLICATION CONTROLS CRITERIA\n\n 1.   The GAO\xe2\x80\x99s Federal Information System Controls Audit Manual,\n      Chapter 4, \xe2\x80\x9cEvaluating and Testing Application Controls\xe2\x80\x9d\n\n 2.   Department of Justice Order 2640.2E, Information Technology\n      Security, Chapter 2, \xe2\x80\x9cSecurity Requirements,\xe2\x80\x9d Section 16, \xe2\x80\x9cAccess\n      Control;\xe2\x80\x9d 18.h., \xe2\x80\x9cAccountability and Audit Trails;\xe2\x80\x9d 23, \xe2\x80\x9cAssignment\n      and Segregation of Duties\xe2\x80\x9d\n\n 3.   OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information\n      Resources,\xe2\x80\x9d Section 6, \xe2\x80\x9cDefinitions\xe2\x80\x9d and Section 8, \xe2\x80\x9cPolicy\xe2\x80\x9d\n\n 4.   OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n      Information Resources,\xe2\x80\x9d Section A.3.b.2., \xe2\x80\x9cApplication Security\n      Plan\xe2\x80\x9d and B.b.2.g., \xe2\x80\x9cPublic Access Controls\xe2\x80\x9d\n\n 5.   OMB Circular A-130, Appendix IV, \xe2\x80\x9cAnalysis of Key Sections,\xe2\x80\x9d\n      Analysis, Section 8a(4), \xe2\x80\x9cRecords Management\xe2\x80\x9d and \xe2\x80\x9cTraining\xe2\x80\x9d\n\n 6.   National Institute of Standards and Technology, Special Publication\n      800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST\n      Handbook,\xe2\x80\x9d Chapter 4, \xe2\x80\x9cCommon Threats,\xe2\x80\x9d 1. \xe2\x80\x9cErrors and\n      Omissions\xe2\x80\x9d\n\n 7.   National Institute of Standards and Technology, Special Publication\n      800-18, \xe2\x80\x9cGuide for Developing Security Plans for Information\n      Technology Systems\xe2\x80\x9d\n\n 8.   National Institute of Standards and Technology, Special Publication\n      800-53, \xe2\x80\x9cRecommended Security Controls,\xe2\x80\x9d SI-2.b \xe2\x80\x9cPersonnel\n      Supervision;\xe2\x80\x9d SI-5.e.MP-1e, \xe2\x80\x9cMedia Access;\xe2\x80\x9d and SI-5.e,\n      \xe2\x80\x9cValidation of Mission Processing, Output\xe2\x80\x9d\n\n 9.   National Institute of Standards and Technology, Special Publication\n      800-64, \xe2\x80\x9cSecurity Considerations in the Information System\n      Development Life Cycle,\xe2\x80\x9d B.10.3, \xe2\x80\x9cAuditing\xe2\x80\x9d\n\n10.   National Institute of Standards and Technology, Federal\n      Information Processing Standards Publication 73, Section 3.1,\n      \xe2\x80\x9cData Validation\xe2\x80\x9d\n\n11.   The USMS\xe2\x80\x99s Prisoner Tracking System Contingency Plan, Version\n      1.08, dated June 2003\n\n                                    79\n\x0c12.   The USMS\xe2\x80\x99s \xe2\x80\x9cCellblock Operations\xe2\x80\x9d Directive 99-47, \xe2\x80\x9cPrisoner\n      Tracking System (PTS) and Appendix B \xe2\x80\x93 \xe2\x80\x9cRecords to be\n      Maintained in the USM-123 File\xe2\x80\x9d\n\n13.   The USMS\xe2\x80\x99s \xe2\x80\x9cPrisoner Tracking System User Manual,\xe2\x80\x9d dated June\n      2003\n\n14.   The USMS\xe2\x80\x99s \xe2\x80\x9cPTS System Security Guide,\xe2\x80\x9d dated June 2003\n\n15.   The \xe2\x80\x9cUSMS System Security Plan for the Prisoner Tracking System\n      (PTS)/USMS Automated Booking Station (USMS-ABS),\xe2\x80\x9d Version 1.05,\n      dated June 2003\n\n16.   The USMS\xe2\x80\x99s Security Evaluation Report dated June 2003\n\n\n\n\n                                   80\n\x0c                                                       APPENDIX 11\n\n\n            DATA INTEGRITY ASSESSMENT CRITERIA\n\n\n1. \xe2\x80\x9cAssessing the Reliability of Computer-Processed Data,\xe2\x80\x9d\n   GAO-03-273G, October 2002\n\n2. National Institute of Standards and Technology, Special Publication\n   800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST\n   Handbook,\xe2\x80\x9d 1.4, \xe2\x80\x9cImportant Terminology\xe2\x80\x9d\n\n\n\n\n                                  81\n\x0c     APPENDIX 12\n\n\n\n\n82\n\x0c83\n\x0c84\n\x0c85\n\x0c86\n\x0c87\n\x0c88\n\x0c89\n\x0c90\n\x0cOIG Note: Additional attachments to the consolidated response were\ntoo voluminous to incorporate into this report. The attachments may\nbe obtained by contacting the United States Marshals Service.\n\n\n\n\n                                91\n\x0c                                                         APPENDIX 13\n\n    OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION,\n      ANALYSIS AND SUMMARY OF ACTIONS NECESSARY\n                   TO CLOSE THE REPORT\n\n      The USMS\xe2\x80\x99s response to the audit (Appendix 12) describes the\nactions taken or plans for implementing our recommendations. In\nsome cases, we made revisions to our final report where appropriate.\nThis appendix summarizes our response and the actions necessary to\nclose the report. In addition to responding to the recommendations\nthe USMS stated in the second paragraph of the cover memorandum\n\xe2\x80\x9cFor purposes of accuracy, please note that Page 1 of the report\nincludes dollar figures ascribed to PTS, with Footnote 7 reporting these\nfigures to be derived from budget requests submitted to OMB and\nJMD. These figures are not consistent with what USMS has submitted\nthrough the budget process. We are at OIG\xe2\x80\x99s disposal to discuss the\nfigures reported and provide the information we believe to be\naccurate.\xe2\x80\x9d\n\n       We requested operating cost information for the PTS on two\noccasions from USMS representatives prior to the issuance of the PTS\ndraft report. On the first occasion, February 24, 2004, we sent a\nwritten request to the USMS Planning and Analysis Branch requesting\nbudget information. During our second attempt on February 25, 2004,\nwe sent a request to a USMS IT Services representative who replied\nthat he had \xe2\x80\x9cpassed the request on to the USMS budget people.\xe2\x80\x9d We\ninformed the USMS that this information would be used in the draft\nreport and that the request was time sensitive since we were in the\nfinal stages of writing the draft report. Because we were not provided\nwith information from either of the USMS contacts, we contacted the\nJustice Management Division to determine if any historical budget\ninformation existed in their files. On March 8, 2004, the Justice\nManagement Division provided the information used in the report .\nAccording to JMD\xe2\x80\x99s representative, \xe2\x80\x9cThe official source of the\ninformation are exhibit 300 or 53 reports prepared by the component\nthat are on file in our office.\xe2\x80\x9d Therefore, the OIG did not dispute the\naccuracy of the information since we were informed that it originated\nfrom the USMS.\n\n      Because the USMS expressed concern that the costs provided by\nthe JMD were not accurate, we again contacted the USMS on July 12,\n2004, to obtain the operating costs the USMS believed to be accurate\nfor PTS. On July 21, 2004, the USMS provided an email containing\n\n                                  92\n\x0ccost information for which we subsequently requested the supporting\ndocumentation such as an exhibit 300 or 53 report. However, the\nUSMS could not provide any supporting budget documentation to\nsubstantiate the figures it provided. Therefore, the operating cost\ninformation previously provided by JMD will remain in the report as the\nofficial and best available data for the PTS.\n\n       With respect to our recommendations, the USMS frequently\ndisagreed or the corrective action proposed by the USMS was not\nsufficient to address our recommendations. For these reasons,\nrecommendations 3, 4, 5, 6, 8, 9, 10, 12, 13, 14, 17, and 18 are\nunresolved. The status of each recommendation follows:\n\nRecommendation Number:\n\n1. Closed. The USMS provided a copy of a signed memorandum\n   dated April 30, 2004, designating an Information Systems Security\n   Officer (ISSO) for the PTS. As a result of the USMS actions, we\n   consider this recommendation closed.\n\n2. Resolved. The USMS states that the future Justice Detainee\n   Information System (JDIS) will include a training module for the\n   PTS application. To close this recommendation, the USMS should\n   provide milestones for its implementation to us with evidence that\n   the training module for PTS is or has been developed.\n\n3. Unresolved. The USMS requested additional information\n   pertaining to which system administrators lacked adequate training\n   and expertise regarding their knowledge of the PTS\xe2\x80\x99s hardware and\n   software environment. The USMS believed that this finding was\n   noted because the OIG may have interviewed the wrong personnel.\n\n   As we stated at our exit conference with the USMS, in planning our\n   site visits, we first contacted each affected district office and\n   requested the following individuals be made available for meetings\n   or interviews: the U.S. Marshal (or designee), system\n   administrator, and criminal clerk. At the Eastern District of\n   Virginia, we were directed to an individual whom we were told was\n   performing system administrator duties. As the interview\n   progressed, however, we learned that the individual was\n   performing some system administrator duties, but that the system\n   administrator responsible for the site was physically located at the\n   District Court for the District of Columbia. While at the Eastern\n   District of Virginia, we gathered the information this individual\n\n                                  93\n\x0ccould provide and subsequently interviewed the responsible system\nadministrator. We did not, however, interview the administrative\nofficer in lieu of the system administrator. Rather, we were initially\nmisdirected and subsequently spoke to the system administrator\nresponsible for the office. When we spoke to the system\nadministrator who represented the site in question, we still found\ndeficiencies with the system administrator\xe2\x80\x99s knowledge.\n\nAs stated in the final report, the system administrator position\ndescription provided by the USMS states that system\nadministrators are responsible for \xe2\x80\x9coperating, troubleshooting,\nrepairing, and maintaining IT systems.\xe2\x80\x9d Additionally, the position\ndescription states that employees must possess the requisite\ntechnical knowledge to sustain the availability of the hardware and\nsoftware environment and be competent to maintain operating\nsystems, applications, and data elements. According to the USMS\nheadquarters, system administrators within the district offices are\nresponsible for adding and deleting user names from the PTS\nauthorized user list. However, we found specific problems at the\nsites indicated below:\n\n   Deficiencies Found Pertaining to System Administrator\n                   Training and Expertise\n                                                    DC/DC\n\n\n\n\n                                                                   S/NY\n\n\n\n\n                                                                                               D/AZ\n                                                            E/PA\n                                             E/VA\n\n\n\n\n                                                                          S/TX\n\n\n\n\n                                                                                        S/FL\n                                                                                 N/IL\n          Specific Deficiencies\n\nSystem Administrators lacked knowledge of     x      x       x      x             x      x\nthe PTS change control process\nSystem Administrators were unfamiliar with    x      x       x             x      x      x\nthe PTS application\xe2\x80\x99s timeout period\nSystem Administrators were unfamiliar with    x      x       x      x      x      x      x\nthe PTS application\xe2\x80\x99s master files\nSystem Administrators did not know the        x      x              x      x      x      x      x\nversion number of PTS running on the\nDistrict Office\xe2\x80\x99s server\nSystem Administrators did not know how to     x      x\ndelete user names from the PTS authorized\nuser list\nSource: OIG working papers\n\n\nWhen we requested to speak to the system administrator at the\nEastern District of Virginia, we were directed to the administrative\nofficer. The administrative officer was performing cursory system\nadministrator duties and he did not know where the PTS database\n\n                                   94\n\x0c   for the district office was located. We subsequently interviewed\n   the system administrator, whom we located at the District Court\n   for the District of Columbia, and found that she did not know how\n   to delete names from the user list, among other things.\n\n   The areas identified in the previous chart represent facets of\n   requisite technical knowledge that enable system administrators to\n   effectively sustain the availability of the hardware and software\n   environment and demonstrate competence in maintaining\n   operating systems, applications, and data elements.\n\n   In order to resolve and close this recommendation, the USMS\n   should provide documented evidence to us that individuals\n   performing system administrator duties are properly trained in\n   their responsibilities.\n\n4. Unresolved. The USMS\xe2\x80\x99s response asserts that there is no\n   Department or federal security requirement to maintain user lists\n   at both the USMS district offices and at USMS headquarters. The\n   USMS response does not address our recommendation. Our\n   recommendation speaks to the condition that the PTS authorized\n   user list provided by the USMS headquarters contained information\n   that, once verified at the site, possessed multiple inaccuracies.\n   Appendices 5 and 6 of this report contain excerpts from Chapters 3\n   and 4 of the GAO\xe2\x80\x99s FISCAM, which we used as guidance for the\n   development of the audit program followed during the audit.\n   Pages 54 through 55 of the final report provide the specific FISCAM\n   requirement that the computer resource owner should maintain a\n   current list of authorized users and ensure that their access is\n   authorized. We did not recommend that separate lists be\n   maintained. Separate lists exist because the USMS headquarters\n   has delegated the user management responsibility to the district\n   offices (DOs). This does not absolve the USMS headquarters from\n   its responsibility as data owners to maintain a current list of\n   authorized users and ensure that their access is authorized.\n\n   Additionally, the Department\xe2\x80\x99s Order 2640.2E requires that each\n   authorized user of a system have a unique identifier. In the case\n   of the authorized user list provided by USMS headquarters, entries\n   were found to be outdated and did not reflect a replication of\n   changes, additions, and deletions made at the district offices we\n   visited. Our report details the nature and frequency of errors\n   found during our user list review at each site. In order to resolve\n   and close this recommendation, the USMS should provide evidence\n\n                                 95\n\x0c   to us that the access authorizations for the PTS are reviewed and\n   that USMS headquarters updates its authorized PTS user list in a\n   timely manner to incorporate changes from the DOs.\n\n5. Unresolved. As we stated at our exit conference, we found that\n   the lock on the door to the office suite containing data terminals,\n   prisoner file folders, printed output reports, and other sensitive\n   information was not engaged at the District Court for the District of\n   Columbia location. During our visit, we were able to gain access to\n   this area from the hallway in a building accessed by the public, and\n   at the time, no one assigned to the district office was present in\n   the area. Although physical security is provided at the entrance to\n   the building, private citizens are unescorted once they enter the\n   building, which presents a serious threat to the protection of\n   sensitive information. We agree that this condition occurred at\n   only one of the eight sites reviewed. However, we found that the\n   means for providing adequate physical security was present and a\n   lock was on the door. Unfortunately, the office failed to exercise\n   due diligence to ensure its use. Additionally, this condition was in\n   sharp contrast to the high levels of security observed at the other\n   seven sites visited. In order to resolve and close this\n   recommendation, the USMS should provide us with documented\n   evidence that existing measures, such as door locks, are used to\n   provide protection against unauthorized access to sensitive areas.\n\n6. Unresolved. The USMS response states that system change\n   request instructions for the PTS application have been sufficiently\n   disseminated to users of the application. The USMS headquarters\n   informed us prior to our site visits of the systems development life\n   cycle (SDLC) process in place that contains system change request\n   instructions. Although the USMS feels that users have been\n   sufficiently notified of existing policies, our observations proved\n   different. As stated previously, we followed an audit program in\n   which identical questions were asked of individuals representing\n   specific positions within the district office. Specifically, we asked\n   those most familiar with the application, the criminal clerk and the\n   system administrator, how changes were requested to the PTS\n   application. We found at all eight of the locations visited, the\n   Eastern District of Virginia; the District Court for the District of\n   Columbia; the Eastern District of Pennsylvania; the Southern\n   District of New York; the Southern District of Texas; the Northern\n   District of Illinois; the Southern District of Florida; and the District\n   of Arizona, that knowledge of the official change control process for\n   the PTS application was deficient. In most cases, neither the\n\n                                    96\n\x0c   system administrator nor the criminal clerk were aware of the\n   existence of a change request form or how to process a request\n   according to the existing policy.\n\n   Also in the USMS\xe2\x80\x99s response to recommendation 6, the USMS\n   states that the audit report text does not substantiate the\n   information in the last paragraph of page 12 of the draft report\n   where the discussion of the ineffective management of\n   modifications to application software is expanded to include\n   unauthorized changes made by knowledgeable programmers. On\n   page 16 of our report, we state that, \xe2\x80\x9cAt the USMS\xe2\x80\x99s headquarters,\n   only one individual is assigned to code, test, and implement\n   changes to the PTS application.\xe2\x80\x9d This example substantiates the\n   audit report text because according to the Department\xe2\x80\x99s Order\n   2640.2E, components are directed to integrate security into various\n   stages of a system\xe2\x80\x99s life cycle and to ensure that changes to any\n   system are controlled. Changes to a system include changes\n   requested by users as well as changes made by knowledgeable\n   programmers. We presented this information on page 16 under\n   Segregation of Duties because it represented a good example of\n   failure to segregate duties among staff although it also applies to\n   the ineffective management of modifications to application\n   software. We disagree that this vulnerability should be excluded\n   from the report. In order to resolve and close this\n   recommendation, the USMS should provide documented evidence\n   to us that PTS users are informed of the policies and procedures for\n   requesting changes to the application.\n\n7. Resolved. The USMS states that it has taken steps through the\n   development of JDIS to address the problem of PTS\xe2\x80\x99s outdated\n   programming software and database management system. In\n   order to close this recommendation, the USMS should provide\n   documented evidence to us that the outdated versions of the PTS\xe2\x80\x99s\n   application programming software and database management\n   system have been removed from the production environment and\n   replaced with current versions that are supported by the vendor.\n\n8. Unresolved. The USMS provided an attachment to its response to\n   demonstrate that duties have been segregated to minimize\n   functional incompatibility. The attachment lists duties for positions\n   within the USMS such as end users, system administrators, and the\n   information systems security officer as they relate to computer\n   security. While valuable, the information only partially addresses\n   the conditions described on pages 15 through 17 of the report that\n\n                                  97\n\x0c     enumerate problems with procedures that affect critical processes\n     performed by the PTS application\xe2\x80\x99s end users and the application\n     programmer.\n\n     In this report, we provide the FISCAM guidance under the\n     \xe2\x80\x9cSegregation of Duties\xe2\x80\x9d section that requires entities not only to\n     segregate incompatible duties, but also to establish related\n     policies. We also provide FISCAM guidance that requires entities to\n     control personnel activities through formal operating procedures\n     and supervision and review. Our recommendation applies to our\n     observations during field site visits that duties were not sufficiently\n     segregated among staff and that sufficient procedural guidance\n     does not exist for the record creation process. Specifically, district\n     office operations allow an end user to create a prisoner record,\n     manipulate that record, and commit changes to information\n     contained in the PTS database with no management oversight or\n     approval prior to the completion of a transaction, or shortly\n     thereafter. This condition creates the situation where a single\n     individual has complete control over the input, processing, and\n     output stages of the information cycle. We also provided the\n     example of the condition existing at USMS headquarters wherein\n     one individual can code, test, and implement software changes\n     thereby having complete control over the PTS\xe2\x80\x99s system life cycle.\n\n     We have reviewed the information provided as Attachment 2 to the\n     USMS response. The additional procedural steps added to the\n     Cellblock Operations Manual 99-47 address the conditions\n     described in this report pertaining to controlling personnel activities\n     through formal operating procedures. However, none of the\n     information provided ensures that duties affecting the application\xe2\x80\x99s\n     life cycle are sufficiently segregated or that supervisory review of\n     data is assigned to anyone at the district office level. In order to\n     resolve and close this recommendation, the USMS should provide\n     to us documented evidence that policies and procedures for\n     segregating duties are developed and enforced to provide\n     assurance that distinct functions are performed by different\n     individuals and that no individual has complete control over the\n     PTS\xe2\x80\x99s processing functions.\n\n9a. Unresolved. The USMS contends that system administrators are\n    fully aware of required actions and responsibilities in the event of\n    an emergency situation and the USMS requested that we provide\n    specific examples of where this may not be accurate. We\n    reviewed both the USMS system security plan for the PTS\n\n                                     98\n\x0c     application and the contingency plan for the application in order to\n     gain an understanding of emergency procedures in place to protect\n     the application and minimize service interruptions. We found that\n     emergency procedures and contact information established for the\n     PTS application are contained in the contingency plan for the\n     application; however, the USMS headquarters confirmed that it had\n     not disseminated the contingency plan to the district offices. We\n     found that none of the system administrators at the sites had been\n     provided a copy of the contingency plan containing emergency\n     procedures and contact information. In addition, we found that the\n     USMS has not tested the contingency plan for PTS to actually verify\n     that employees can perform their necessary duties in the event of\n     an emergency. We found the following conditions at the sites\n     indicated in the chart below:\n\n                   Emergency Procedures Deficiencies\n\n\n\n\n                                                       DC/DC\n\n\n\n\n                                                                      S/NY\n\n\n\n\n                                                                                                  D/AZ\n                                                               E/PA\n                                                E/VA\n\n\n\n\n                                                                             S/TX\n\n\n\n\n                                                                                           S/FL\n                                                                                    N/IL\n                Specific Conditions\n\n     No emergency contact list on site           x              x      x      x      x      x\n     No knowledge of the existing contingency    x      x       x      x      x      x      x      x\n     plan\n    Source: OIG working papers\n\n    In order to resolve and close this recommendation, the USMS\n    should provide evidence to us that it has tested the contingency\n    plan and disseminated the plan to system administrators to ensure\n    that employees involved in emergency response procedures are\n    identified and trained in their emergency roles and responsibilities.\n\n9b. Unresolved. The USMS provided information regarding the\n    location of its contingency plans on the USMS intranet. However,\n    this electronic posting does not provide assurance that in the event\n    of an emergency where access to files located on network servers\n    are not available, that individuals at the site would know who to\n    contact. In order to resolve and close this recommendation, the\n    USMS should provide to us documented evidence that emergency\n    contact lists are maintained on-site.\n\n10. Unresolved. The USMS requested additional information\n    regarding specific sites where backup tapes were not being rotated\n    off-site. We found that this condition existed at the Eastern\n\n\n                                         99\n\x0c       District of Pennsylvania and the Southern District of New York. The\n       USMS provided a corrective action plan to reinforce backup tape\n       rotation policies at the locations identified. In order to resolve and\n       close this recommendation, the USMS should provide us with\n       documented evidence that PTS\xe2\x80\x99s backup tapes are properly rotated\n       and stored at an off-site location.\n\n 11. Resolved. The USMS states that the PTS contingency plan will be\n     tested, but does not specify a milestone date for this action. In\n     order to close this recommendation, the USMS should provide us a\n     milestone date for the annual testing of the PTS contingency plan\n     as required by the Department and confirmation of the results of\n     the test once completed.\n\n12a.   Unresolved. The USMS states that key source document\n       requirements are already in place and that district office\n       management will be directed to review data collection activities.\n       We agree that modifications made to the Cellblock Operations\n       Manual 99-47 provide guidance to improve data collection\n       procedures. However, the revised Cellblock Operations Manual\n       does not define, specifically, the minimum source documents\n       required during the record creation process, such as two\n       photographs of the inmate to aid the USMS with proper inmate\n       identification and the medical form USM-552 to document health\n       related issues disclosed during the initial interview with the inmate.\n       In order to resolve and close this recommendation, the USMS\n       should provide evidence to us that policies and procedures to\n       establish key source document requirements have been developed.\n\n12b.   Unresolved. The USMS states that the record creation process is\n       standardized throughout the USMS and states that the PTS User\xe2\x80\x99s\n       Manual and associated policy directives address this condi tion.\n       However, during our site visits we found that the USMS had not\n       established controls over source documents nor provided for their\n       proper authorization because the USMS had not provided adequate\n       data rules for employees or set standards for consistency during\n       the record creation process. In order to resolve and close this\n       recommendation, the USMS should provide evidence to us that\n       policies and procedures were developed to standardize the record\n       creation process throughout the USMS for the PTS.\n\n 13. Unresolved. The USMS\xe2\x80\x99s response states that the OIG calls for a\n     supervisor to sign off on a handwritten USM-129/312. This is not\n     an accurate interpretation of our recommendation. We\n\n                                      100\n\x0c     recommended that a \xe2\x80\x9ccontrol\xe2\x80\x9d be implemented to ensure that\n     transactions are supported by properly authorized source\n     documents, but we did not mandate that supervisors sign off on\n     handwritten USM-129/312s. In the report, we simply presented\n     supervisory authorizations on source documents as an example of\n     a control. We observed at the Eastern District of Virginia that the\n     handwritten USM-129 was used as a form of authorization control\n     and offered this as an example of what worked effectively at one\n     office, but did not suggest this practice as an overall solution. The\n     determination of what specific control would be feasible for\n     implementation throughout the USMS was left to the discretion of\n     the USMS. To resolve and close this recommendation, the USMS\n     should provide us with documented evidence that it has\n     implemented a control to ensure that before information is entered\n     into the system, transactions are supported by properly authorized\n     source documents.\n\n14. Unresolved. The USMS agrees that sufficient auditing is not\n    conducted, but states that this deficiency is not due to the lack of\n    management\xe2\x80\x99s requirement to do so. We reviewed the certification\n    and accreditation documentation for the PTS application provided\n    by the USMS in June 2003. On Form 6, Item 14a and b of the Risk\n    Assessment Report for PTS/USMS-ABS dated June 2003, the USMS\n    responded affirmatively that it has defined audit requirements for\n    the PTS application and that the application has the capability to\n    identify the creator of data and processes. In order to resolve and\n    close this recommendation, the USMS should provide\n    documentation to us evidencing that audit trails for the PTS\n    application are maintained and reviewed as required by the\n    Department.\n\n15. Resolved. The USMS states that global database searches will be\n    possible through the upcoming JDIS initiative. In order to close\n    this recommendation, the USMS should provide documented\n    evidence to us indicating that the PTS application has been\n    modified to perform automatic global database searches of all its\n    district office databases.\n\n16. Resolved. The USMS indicates that erroneous data is collected\n    through jail utilization and population projection reports reviewed\n    by the Prisoner Services Division. The USMS does not indicate,\n    however, what types of erroneous data are captured or what\n    actions are taken to correct and investigate such data. Specifically,\n    this audit report refers to the need to collect and review\n\n                                    101\n\x0c    information on erroneous data, such as rejected transactions and\n    input errors or omissions, to determine if errors cause threats to\n    the PTS application or render the system vulnerable to\n    compromise. Our findings indicate that all eight sites visited failed\n    to collect statistics on the frequency of error messages generated\n    by the system. In order to close this recommendation, the USMS\n    should provide to us documented evidence of how erroneous data\n    is collected and reported back to the USMS management for\n    investigation and correction.\n\n17. Unresolved. The USMS contends that there is no \xe2\x80\x9cunauthorized\xe2\x80\x9d\n    employee from which sensitive privacy information should be\n    protected and asserts that a background investigation suffices as\n    authorization to access PTS data. However, an examination of\n    PTS\xe2\x80\x99s certification and accreditation documents indicates that the\n    USMS does distinguish between \xe2\x80\x9cauthorized\xe2\x80\x9d and \xe2\x80\x9cunauthorized\xe2\x80\x9d\n    users.\n\n    Specifically, in the PTS/USMS-ABS System Security Plan, Section\n    1.8, System Interconnection/Information Sharing, the USMS states\n    that \xe2\x80\x9cNot all Marshals users are authorized access to PTS, but all\n    users who are authorized to connect to PTS do so through MNET.\xe2\x80\x9d\n    In the security plan\xe2\x80\x99s Section 4. 2, Logical Access Controls, the\n    USMS explicitly states that \xe2\x80\x9cControls exist in the PTS system to\n    authorize and restrict users from performing particular functions.\xe2\x80\x9d\n    The document further states that \xe2\x80\x9cAccess rights are granted based\n    on the determination of USMS district management.\xe2\x80\x9d\n\n    In the PTS\xe2\x80\x99s system security plan, section 1.10, General\n    Description of Information Sensitivity, the USMS defines the\n    requirement for confidentiality as high and further states that\n    \xe2\x80\x9cInappropriate disclosure of the information of the information\n    could have negative impact on the safety of prisoners in USMS\n    custody and the law enforcement officials assigned to transport\n    and guard them. Furthermore, inappropriate disclosure could place\n    the families of prisoners in USMS custody at risk as well as USMS\n    employees assigned to protect and transport prisoners. All Privacy\n    Act information within PTS must be protected. . . The requirement\n    for confidentiality is HIGH.\xe2\x80\x9d Protection of system data includes\n    output reports and considering the USMS\xe2\x80\x99s own categorization of\n    its requirement for confidentiality as high, USMS\xe2\x80\x99s protection of\n    system output must be commensurate with its confidentiality\n    category. In order to resolve and close this recommendation, the\n    USMS should provide to us documented evidence that output\n\n                                   102\n\x0c       reports containing sensitive privacy information are protected from\n       unauthorized persons.\n\n 18. Unresolved. The USMS requests that additional information be\n     provided regarding instances where the PTS application allowed\n     simultaneous updates of the same record by more than one user.\n     We witnessed this condition at the following locations: the District\n     Court for the District of Columbia; the Eastern District of\n     Pennsylvania; the Southern District of New York; and the District of\n     Arizona. In order to resolve and close this recommendation, the\n     USMS should provide us documented evidence that each\n     installation of the PTS application protects against simultaneous\n     updates of the same record by more than one end-user.\n\n 19. Resolved. The USMS agrees with our recommendation that\n     adequate and proper source documents be maintained in prisoner\n     file folders to substantiate employee activities. The USMS\n     submitted a revised Cellblock Operations Manual 99-47 that\n     enumerates in Section C.3, Prisoner Records, specific documents\n     that must be maintained in prisoner files. In order to close this\n     recommendation, the USMS should provide documented evidence\n     to us that an internal review process has been formalized to ensure\n     that adequate and proper source documents be maintained in\n     prisoner file folders to substantiate employee activities.\n\n20a.   Resolved. The USMS agrees with our recommendation to\n       implement integrity assurances and quality control measures to\n       require periodic spot-checking and validation of output from the\n       PTS. We have accepted the USMS\xe2\x80\x99s proposed resolution to\n       Recommendation 19 that refers to Recommendation 12a. The\n       proposed resolution to Recommendation 12a states that the USMS\n       will include, during its Program Review\xe2\x80\x99s internal audits, a review\n       of prisoner\xe2\x80\x99s files to compare the contents with reports of the USM-\n       129/312 generated by PTS. In order to close this\n       recommendation, the USMS should provide documented evidence\n       to us that policies and procedures to implement quality control\n       measures require the periodic spot-checking and validation of\n       output from the PTS have been developed.\n\n20b.   Resolved. As stated previously, we accept the USMS\xe2\x80\x99s proposed\n       resolution to Recommendation 19 that refers to its proposed\n       resolution to Recommendation 12a. The proposed resolution to\n       Recommendation 12a states that output will be checked as a\n       requirement during Program review\xe2\x80\x99s internal audits to confirm\n\n                                     103\n\x0cthat processing of information is correct. In order to close this\nrecommendation, the USMS should provide documented evidence\nto us that policies and procedures have been developed to\nimplement quality control measures to confirm that the correct\ninformation is processed in PTS.\n\n\n\n\n                             104\n\x0c'